Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[loki] more events than what happened based on log #2843

Open
pschiffe opened this issue Feb 13, 2024 · 8 comments
Open

[loki] more events than what happened based on log #2843

pschiffe opened this issue Feb 13, 2024 · 8 comments
Labels
kind/bug Something isn't working needs/triage version/1.6.0

Comments

@pschiffe
Copy link

What happened?

For example, this IP was banned: 91.73.194.178. In the logs I only see:

Feb 13 16:15:03 a8b63ef262ff postfix/smtps/smtpd[103975]: connect from unknown[91.73.194.178]
Feb 13 16:15:05 a8b63ef262ff postfix/smtps/smtpd[103975]: Anonymous TLS connection established from unknown[91.73.194.178]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 13 16:15:12 a8b63ef262ff postfix/smtps/smtpd[103975]: warning: unknown[91.73.194.178]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=some_user
Feb 13 16:15:13 a8b63ef262ff postfix/smtps/smtpd[103975]: lost connection after AUTH from unknown[91.73.194.178]
Feb 13 16:15:13 a8b63ef262ff postfix/smtps/smtpd[103975]: disconnect from unknown[91.73.194.178] ehlo=1 auth=0/1 commands=1/2

But the alert says there was 6 events:

$ docker exec -it crowdsec cscli alerts inspect 691 -d

################################################################################################

 - ID           : 691
 - Date         : 2024-02-13T16:15:15Z
 - Machine      : localhost
 - Simulation   : false
 - Reason       : crowdsecurity/postfix-spam
 - Events Count : 6
 - Scope:Value  : Ip:91.73.194.178
 - Country      : AE
 - AS           : Emirates Integrated Telecommunications Company PJSC
 - Begin        : 2024-02-13 16:15:12 +0000 UTC
 - End          : 2024-02-13 16:15:14 +0000 UTC
 - UUID         : 44b472e0-b5ea-498c-8bf0-e90707ee8cef

 - Active Decisions  :
╭─────────┬──────────────────┬────────┬────────────────────┬──────────────────────╮
│   ID    │   scope:value    │ action │     expiration     │      created_at      │
├─────────┼──────────────────┼────────┼────────────────────┼──────────────────────┤
│ 1498812 │ Ip:91.73.194.178 │ ban    │ 165h8m55.55667434s │ 2024-02-13T16:15:15Z │
╰─────────┴──────────────────┴────────┴────────────────────┴──────────────────────╯

 - Events  :

- Date: 2024-02-13 16:15:12 +0000 UTC
╭─────────────────┬─────────────────────────────────────────────────────╮
│       Key       │                        Value                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNNumber       │ 15802                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNOrg          │ Emirates Integrated Telecommunications Company PJSC │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsInEU          │ false                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsoCode         │ AE                                                  │
├─────────────────┼─────────────────────────────────────────────────────┤
│ SourceRange     │ 91.72.0.0/14                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_path │ http://loki:3100/                                   │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_type │ loki                                                │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type        │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type_enh    │ spam-attempt                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ machine         │ a8b63ef262ff                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ service         │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_hostname │ unknown                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_ip       │ 91.73.194.178                                       │
├─────────────────┼─────────────────────────────────────────────────────┤
│ timestamp       │ 2024-02-13T16:15:12Z                                │
╰─────────────────┴─────────────────────────────────────────────────────╯

- Date: 2024-02-13 16:15:13 +0000 UTC
╭─────────────────┬─────────────────────────────────────────────────────╮
│       Key       │                        Value                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNNumber       │ 15802                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNOrg          │ Emirates Integrated Telecommunications Company PJSC │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsInEU          │ false                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsoCode         │ AE                                                  │
├─────────────────┼─────────────────────────────────────────────────────┤
│ SourceRange     │ 91.72.0.0/14                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_path │ http://loki:3100/                                   │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_type │ loki                                                │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type        │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type_enh    │ spam-attempt                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ machine         │ a8b63ef262ff                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ service         │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_hostname │ unknown                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_ip       │ 91.73.194.178                                       │
├─────────────────┼─────────────────────────────────────────────────────┤
│ timestamp       │ 2024-02-13T16:15:13Z                                │
╰─────────────────┴─────────────────────────────────────────────────────╯

- Date: 2024-02-13 16:15:13 +0000 UTC
╭─────────────────┬─────────────────────────────────────────────────────╮
│       Key       │                        Value                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNNumber       │ 15802                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNOrg          │ Emirates Integrated Telecommunications Company PJSC │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsInEU          │ false                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsoCode         │ AE                                                  │
├─────────────────┼─────────────────────────────────────────────────────┤
│ SourceRange     │ 91.72.0.0/14                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_path │ http://loki:3100/                                   │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_type │ loki                                                │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type        │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type_enh    │ spam-attempt                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ machine         │ a8b63ef262ff                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ service         │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_hostname │ unknown                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_ip       │ 91.73.194.178                                       │
├─────────────────┼─────────────────────────────────────────────────────┤
│ timestamp       │ 2024-02-13T16:15:13Z                                │
╰─────────────────┴─────────────────────────────────────────────────────╯

- Date: 2024-02-13 16:15:13 +0000 UTC
╭─────────────────┬─────────────────────────────────────────────────────╮
│       Key       │                        Value                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNNumber       │ 15802                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNOrg          │ Emirates Integrated Telecommunications Company PJSC │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsInEU          │ false                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsoCode         │ AE                                                  │
├─────────────────┼─────────────────────────────────────────────────────┤
│ SourceRange     │ 91.72.0.0/14                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_path │ http://loki:3100/                                   │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_type │ loki                                                │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type        │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type_enh    │ spam-attempt                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ machine         │ a8b63ef262ff                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ service         │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_hostname │ unknown                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_ip       │ 91.73.194.178                                       │
├─────────────────┼─────────────────────────────────────────────────────┤
│ timestamp       │ 2024-02-13T16:15:13Z                                │
╰─────────────────┴─────────────────────────────────────────────────────╯

- Date: 2024-02-13 16:15:13 +0000 UTC
╭─────────────────┬─────────────────────────────────────────────────────╮
│       Key       │                        Value                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNNumber       │ 15802                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNOrg          │ Emirates Integrated Telecommunications Company PJSC │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsInEU          │ false                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsoCode         │ AE                                                  │
├─────────────────┼─────────────────────────────────────────────────────┤
│ SourceRange     │ 91.72.0.0/14                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_path │ http://loki:3100/                                   │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_type │ loki                                                │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type        │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type_enh    │ spam-attempt                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ machine         │ a8b63ef262ff                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ service         │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_hostname │ unknown                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_ip       │ 91.73.194.178                                       │
├─────────────────┼─────────────────────────────────────────────────────┤
│ timestamp       │ 2024-02-13T16:15:13Z                                │
╰─────────────────┴─────────────────────────────────────────────────────╯

- Date: 2024-02-13 16:15:13 +0000 UTC
╭─────────────────┬─────────────────────────────────────────────────────╮
│       Key       │                        Value                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNNumber       │ 15802                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ ASNOrg          │ Emirates Integrated Telecommunications Company PJSC │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsInEU          │ false                                               │
├─────────────────┼─────────────────────────────────────────────────────┤
│ IsoCode         │ AE                                                  │
├─────────────────┼─────────────────────────────────────────────────────┤
│ SourceRange     │ 91.72.0.0/14                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_path │ http://loki:3100/                                   │
├─────────────────┼─────────────────────────────────────────────────────┤
│ datasource_type │ loki                                                │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type        │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ log_type_enh    │ spam-attempt                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ machine         │ a8b63ef262ff                                        │
├─────────────────┼─────────────────────────────────────────────────────┤
│ service         │ postfix                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_hostname │ unknown                                             │
├─────────────────┼─────────────────────────────────────────────────────┤
│ source_ip       │ 91.73.194.178                                       │
├─────────────────┼─────────────────────────────────────────────────────┤
│ timestamp       │ 2024-02-13T16:15:13Z                                │
╰─────────────────┴─────────────────────────────────────────────────────╯

This is causing me false positives with scenarios such as crowdsecurity/postfix-spam, crowdsecurity/http-crawl-non_statics, LePresidente/http-generic-403-bf. Other scenarios are working fine.

Acquisition for postfix logs:

source: loki
log_level: info
url: http://loki:3100/
headers:
  X-Scope-OrgID: someorg
query: |
  {container=~"mailcowdockerized-postfix-mailcow-1|mailcowdockerized-dovecot-mailcow-1"} | json | line_format `{{.MESSAGE}}`
labels:
  type: syslog

What did you expect to happen?

Less events based on logs.

How can we reproduce it (as minimally and precisely as possible)?

See above.

Anything else we need to know?

No response

Crowdsec version

$ cscli version
2024/02/13 19:13:08 version: v1.6.0-4192af30
2024/02/13 19:13:08 Codename: alphaga
2024/02/13 19:13:08 BuildDate: 2024-01-31_13:41:30
2024/02/13 19:13:08 GoVersion: 1.21.6
2024/02/13 19:13:08 Platform: docker
2024/02/13 19:13:08 libre2: C++
2024/02/13 19:13:08 Constraint_parser: >= 1.0, <= 3.0
2024/02/13 19:13:08 Constraint_scenario: >= 1.0, <= 3.0
2024/02/13 19:13:08 Constraint_api: v1
2024/02/13 19:13:08 Constraint_acquis: >= 1.0, < 2.0

OS version

# On Linux:
$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="38 (Server Edition)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Server Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14
VARIANT="Server Edition"
VARIANT_ID=server

$ uname -a
Linux hostname 6.7.4-100.fc38.aarch64 #1 SMP PREEMPT_DYNAMIC Mon Feb  5 23:01:12 UTC 2024 aarch64 GNU/Linux

Enabled collections and parsers

$ cscli hub list -o raw
name,status,version,description,type
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/dovecot-logs,enabled,0.8,Parse dovecot logs,parsers
crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nextcloud-logs,enabled,0.3,Parse nextcloud logs,parsers
crowdsecurity/nextcloud-whitelist,enabled,0.7,Whitelist events from nextcloud,parsers
crowdsecurity/nginx-logs,enabled,1.5,Parse nginx access and error logs,parsers
crowdsecurity/postfix-logs,enabled,0.6,Parse postfix logs,parsers
crowdsecurity/postscreen-logs,enabled,0.2,Parse postscreen logs,parsers
crowdsecurity/sshd-logs,enabled,2.3,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/traefik-logs,enabled,0.9,Parse Traefik access logs,parsers
crowdsecurity/whitelists,"enabled,local",,,parsers
someorg/envoy-logs,"enabled,local",,,parsers
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
someorg/rdns_whitelist,"enabled,local",,,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.5,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/dovecot-spam,enabled,0.5,detect errors on dovecot,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.3,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.5,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.1,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios
crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.3,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.3,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.3,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.3,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-xss-probing,enabled,0.3,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.2,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nextcloud-bf,enabled,0.3,Detect Nextcloud bruteforce,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/postfix-spam,enabled,0.4,Detect spammers,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.4,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.2,,contexts
crowdsecurity/base-http-scenarios,enabled,0.8,http common : scanners detection,collections
crowdsecurity/dovecot,enabled,0.1,dovecot support : parser and spammer detection,collections
crowdsecurity/http-cve,enabled,2.5,Detect CVE exploitation in http logs,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nextcloud,enabled,0.3,Nextcloud support : parser and brute-force detection,collections
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections
crowdsecurity/postfix,enabled,0.2,postfix support : parser and spammer detection,collections
crowdsecurity/sshd,enabled,0.3,sshd support : parser and brute-force detection,collections
crowdsecurity/traefik,enabled,0.1,traefik support: parser and generic http scenarios,collections

Acquisition config

# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
filenames:
  - /var/log/nginx/*.log
  - ./tests/nginx/nginx.log
#this is not a syslog log, indicate which kind of logs it is
labels:
  type: nginx
---
filenames:
 - /var/log/auth.log
 - /var/log/syslog
labels:
  type: syslog
---
filename: /var/log/apache2/*.log
labels:
  type: apache2
source: loki
log_level: info
url: http://loki:3100/
headers:
  X-Scope-OrgID: someorg
query: |
  {container="pomerium"} | json | line_format `{{.MESSAGE}}` |= "service\":\"envoy"
labels:
  type: envoy
source: loki
log_level: info
url: http://loki:3100/
headers:
  X-Scope-OrgID: someorg
query: |
  {container=~"mailcowdockerized-postfix-mailcow-1|mailcowdockerized-dovecot-mailcow-1"} | json | line_format `{{.MESSAGE}}`
labels:
  type: syslog
source: loki
log_level: info
url: http://loki:3100/
headers:
  X-Scope-OrgID: someorg
query: |
  {container="nextcloud"}
labels:
  type: Nextcloud
source: loki
log_level: info
url: http://loki:3100/
headers:
  X-Scope-OrgID: someorg
query: |
  {container="mailcowdockerized-nginx-mailcow-1"} | json | line_format `{{.MESSAGE}}`
labels:
  type: nginx
source: loki
log_level: info
url: http://loki:3100/
headers:
  X-Scope-OrgID: someorg
query: |
  {container="traefik"} | json | line_format `{{.MESSAGE}}`
labels:
  type: traefik

</details>


### Config show

<details>

```console
$ cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : stdout
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              : 
API Client:
  - URL                     : http://0.0.0.0:8080/
  - Login                   : localhost
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:8080
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : mysql
      - Host                : mysql
      - Port                : 3306
      - User                : crowdsec
      - DB Name             : crowdsec
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

$ cscli metrics

Acquisition Metrics:
╭─────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│                 Source                  │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├─────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ loki:http:/loki:3100/                   │ 113.34k    │ 45.94k       │ 67.40k         │ 1.60k                  │
╰─────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Bucket Metrics:
╭───────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│                Bucket                 │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├───────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ LePresidente/http-generic-403-bf      │ -             │ 2         │ 3            │ 13     │ 1       │
│ crowdsecurity/http-backdoors-attempts │ -             │ -         │ 1            │ 1      │ 1       │
│ crowdsecurity/http-crawl-non_statics  │ 1             │ 10        │ 804          │ 1.45k  │ 793     │
│ crowdsecurity/http-probing            │ -             │ -         │ 32           │ 36     │ 32      │
│ crowdsecurity/http-sensitive-files    │ -             │ -         │ 1            │ 1      │ 1       │
│ crowdsecurity/postfix-spam            │ 1             │ 4         │ 39           │ 106    │ 34      │
╰───────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Parser Metrics:
╭─────────────────────────────────────┬─────────┬────────┬──────────╮
│               Parsers               │  Hits   │ Parsed │ Unparsed │
├─────────────────────────────────────┼─────────┼────────┼──────────┤
│ child-crowdsecurity/dovecot-logs    │ 41.22k  │ 19.53k │ 21.69k   │
│ child-crowdsecurity/http-logs       │ 78.90k  │ 60.23k │ 18.67k   │
│ child-crowdsecurity/nginx-logs      │ 14.18k  │ 14.17k │ 8        │
│ child-crowdsecurity/postfix-logs    │ 152.91k │ 114    │ 152.79k  │
│ child-crowdsecurity/postscreen-logs │ 5.65k   │ -      │ 5.65k    │
│ child-crowdsecurity/syslog-logs     │ 87.04k  │ 87.04k │ -        │
│ child-crowdsecurity/traefik-logs    │ 19.83k  │ 9.91k  │ 9.91k    │
│ child-websignal/envoy-logs          │ 2.22k   │ 2.22k  │ -        │
│ crowdsecurity/dateparse-enrich      │ 45.94k  │ 45.94k │ -        │
│ crowdsecurity/dovecot-logs          │ 24.95k  │ 19.53k │ 5.42k    │
│ crowdsecurity/geoip-enrich          │ 45.94k  │ 45.94k │ -        │
│ crowdsecurity/http-logs             │ 26.30k  │ 26.29k │ 7        │
│ crowdsecurity/nextcloud-whitelist   │ 26.30k  │ 26.30k │ -        │
│ crowdsecurity/nginx-logs            │ 14.17k  │ 14.17k │ -        │
│ crowdsecurity/non-syslog            │ 26.30k  │ 26.30k │ -        │
│ crowdsecurity/postfix-logs          │ 51.03k  │ 114    │ 50.91k   │
│ crowdsecurity/postscreen-logs       │ 5.65k   │ -      │ 5.65k    │
│ crowdsecurity/rdns                  │ 7       │ 7      │ -        │
│ crowdsecurity/syslog-logs           │ 87.04k  │ 87.04k │ -        │
│ crowdsecurity/traefik-logs          │ 9.91k   │ 9.91k  │ -        │
│ crowdsecurity/whitelists            │ 45.94k  │ 45.94k │ -        │
│ someorg/envoy-logs                  │ 2.22k   │ 2.22k  │ -        │
│ someorg/rdns_whitelist              │ 7       │ 7      │ -        │
╰─────────────────────────────────────┴─────────┴────────┴──────────╯

Local API Metrics:
╭──────────────────────┬────────┬──────╮
│        Route         │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts           │ GET    │ 8    │
│ /v1/alerts           │ POST   │ 7    │
│ /v1/alerts/691       │ GET    │ 4    │
│ /v1/alerts/692       │ GET    │ 2    │
│ /v1/alerts/693       │ GET    │ 3    │
│ /v1/alerts/696       │ GET    │ 3    │
│ /v1/decisions        │ DELETE │ 3    │
│ /v1/decisions/stream │ GET    │ 9525 │
│ /v1/heartbeat        │ GET    │ 158  │
│ /v1/watchers/login   │ POST   │ 29   │
╰──────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬────────────────┬────────┬──────╮
│  Machine  │     Route      │ Method │ Hits │
├───────────┼────────────────┼────────┼──────┤
│ localhost │ /v1/alerts/692 │ GET    │ 2    │
│ localhost │ /v1/alerts/693 │ GET    │ 3    │
│ localhost │ /v1/alerts/696 │ GET    │ 3    │
│ localhost │ /v1/heartbeat  │ GET    │ 158  │
│ localhost │ /v1/decisions  │ DELETE │ 3    │
│ localhost │ /v1/alerts     │ GET    │ 8    │
│ localhost │ /v1/alerts     │ POST   │ 7    │
│ localhost │ /v1/alerts/691 │ GET    │ 4    │
╰───────────┴────────────────┴────────┴──────╯

Local API Bouncers Metrics:
╭─────────┬──────────────────────┬────────┬──────╮
│ Bouncer │        Route         │ Method │ Hits │
├─────────┼──────────────────────┼────────┼──────┤
│ xx      │ /v1/decisions/stream │ GET    │ 953  │
│ xx      │ /v1/decisions/stream │ GET    │ 953  │
│ xx      │ /v1/decisions/stream │ GET    │ 953  │
│ xx      │ /v1/decisions/stream │ GET    │ 953  │
│ xx      │ /v1/decisions/stream │ GET    │ 953  │
│ xx      │ /v1/decisions/stream │ GET    │ 953  │
│ xx      │ /v1/decisions/stream │ GET    │ 952  │
│ xx      │ /v1/decisions/stream │ GET    │ 951  │
│ xx      │ /v1/decisions/stream │ GET    │ 952  │
│ xx      │ /v1/decisions/stream │ GET    │ 952  │
╰─────────┴──────────────────────┴────────┴──────╯

Local API Decisions:
╭────────────────────────────────────────────┬──────────┬────────┬───────╮
│                   Reason                   │  Origin  │ Action │ Count │
├────────────────────────────────────────────┼──────────┼────────┼───────┤
│ crowdsecurity/ssh-slow-bf                  │ CAPI     │ ban    │ 62    │
│ crowdsecurity/CVE-2023-22518               │ CAPI     │ ban    │ 12    │
│ crowdsecurity/CVE-2023-49103               │ CAPI     │ ban    │ 313   │
│ crowdsecurity/CVE-2023-49103               │ crowdsec │ ban    │ 2     │
│ crowdsecurity/f5-big-ip-cve-2020-5902      │ CAPI     │ ban    │ 28    │
│ crowdsecurity/http-crawl-non_statics       │ CAPI     │ ban    │ 661   │
│ crowdsecurity/jira_cve-2021-26086          │ CAPI     │ ban    │ 18    │
│ crowdsecurity/nginx-req-limit-exceeded     │ CAPI     │ ban    │ 41    │
│ crowdsecurity/ssh-bf                       │ CAPI     │ ban    │ 15029 │
│ otx-webscanners                            │ lists    │ ban    │ 8369  │
│ crowdsecurity/CVE-2022-37042               │ CAPI     │ ban    │ 25    │
│ crowdsecurity/CVE-2022-41082               │ CAPI     │ ban    │ 986   │
│ crowdsecurity/http-cve-2021-42013          │ CAPI     │ ban    │ 5     │
│ crowdsecurity/http-open-proxy              │ CAPI     │ ban    │ 1612  │
│ crowdsecurity/http-sensitive-files         │ CAPI     │ ban    │ 56    │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI     │ ban    │ 413   │
│ crowdsecurity/dovecot-spam                 │ CAPI     │ ban    │ 1207  │
│ crowdsecurity/postfix-spam                 │ CAPI     │ ban    │ 180   │
│ crowdsecurity/postfix-spam                 │ crowdsec │ ban    │ 15    │
│ crowdsecurity/CVE-2019-18935               │ CAPI     │ ban    │ 121   │
│ crowdsecurity/http-probing                 │ CAPI     │ ban    │ 2263  │
│ crowdsecurity/grafana-cve-2021-43798       │ CAPI     │ ban    │ 50    │
│ crowdsecurity/thinkphp-cve-2018-20062      │ CAPI     │ ban    │ 12    │
│ ltsich/http-w00tw00t                       │ CAPI     │ ban    │ 2     │
│ crowdsecurity/CVE-2022-42889               │ CAPI     │ ban    │ 5     │
│ crowdsecurity/fortinet-cve-2018-13379      │ CAPI     │ ban    │ 72    │
│ crowdsecurity/netgear_rce                  │ CAPI     │ ban    │ 21    │
│ firehol_botscout_7d                        │ lists    │ ban    │ 3982  │
│ crowdsecurity/CVE-2022-35914               │ CAPI     │ ban    │ 64    │
│ crowdsecurity/CVE-2023-22515               │ CAPI     │ ban    │ 21    │
│ crowdsecurity/http-backdoors-attempts      │ CAPI     │ ban    │ 1875  │
│ crowdsecurity/http-bad-user-agent          │ CAPI     │ ban    │ 18941 │
│ crowdsecurity/http-bad-user-agent          │ crowdsec │ ban    │ 25    │
│ firehol_greensnow                          │ lists    │ ban    │ 8085  │
│ crowdsecurity/CVE-2022-26134               │ CAPI     │ ban    │ 260   │
│ crowdsecurity/http-admin-interface-probing │ CAPI     │ ban    │ 2563  │
│ crowdsecurity/http-cve-2021-41773          │ CAPI     │ ban    │ 34    │
│ crowdsecurity/http-generic-bf              │ CAPI     │ ban    │ 49    │
│ crowdsecurity/http-path-traversal-probing  │ CAPI     │ ban    │ 242   │
╰────────────────────────────────────────────┴──────────┴────────┴───────╯

Local API Alerts:
╭────────────────────────────────────────────┬───────╮
│                   Reason                   │ Count │
├────────────────────────────────────────────┼───────┤
│ crowdsecurity/CVE-2019-18935               │ 2     │
│ crowdsecurity/CVE-2023-49103               │ 5     │
│ crowdsecurity/http-crawl-non_statics       │ 39    │
│ LePresidente/http-generic-403-bf           │ 2     │
│ crowdsecurity/http-admin-interface-probing │ 4     │
│ crowdsecurity/http-backdoors-attempts      │ 6     │
│ crowdsecurity/http-bad-user-agent          │ 458   │
│ crowdsecurity/http-probing                 │ 11    │
│ crowdsecurity/http-sensitive-files         │ 2     │
│ crowdsecurity/netgear_rce                  │ 3     │
│ crowdsecurity/postfix-spam                 │ 17    │
│ crowdsecurity/CVE-2022-41082               │ 6     │
╰────────────────────────────────────────────┴───────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

No response
@pschiffe pschiffe added the kind/bug Something isn't working label Feb 13, 2024
@github-actions GitHub Actions
Copy link

@pschiffe: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@blotus
Copy link
Member

blotus commented Feb 14, 2024

Hello,

I saw on your discord thread that you had multiple loki data sources configured.
Can you confirm that none of the different data sources will get the same logs? Crowdsec does not perform any deduplication on the logs it reads, so you must ensure a single line will only be seen once.

Do you have a rough idea of how many logs per second are pushed to loki ?

You can also set the data source to trace (by setting log_level: trace in the acquis configuration) to see exactly what crowdsec read (just to be aware, it will likely spam the logs a lot)

@pschiffe
Copy link
Author

Hi @blotus, thank you for your reply. I do have multiple loki data sources configured, but none of them reads the same logs, the queries are distinct. You can see the acquis log files in the details in the issue description above.

Roughly there's 10 to 25 logs per second pushed to loki now in total, but crowdsec is reading maybe half of that.

I'll check the trace log if I can see something there.

@pschiffe
Copy link
Author

Here's a trace log from single loki datasource: crowdsec_trace.txt

$ cat /etc/container-crowdsec/acquis.d/loki_mail.yaml 
source: loki
log_level: trace
url: http://loki:3100/
headers:
  X-Scope-OrgID: someorg
query: |
  {container=~"mailcowdockerized-postfix-mailcow-1|mailcowdockerized-dovecot-mailcow-1"} | json | line_format `{{.MESSAGE}}`
labels:
  type: syslog

You can try to search for a log line - connect from arsyline2.vshosting.cz[185.59.208.36] (some remote server), and you can see that it's there multiple times.

@pschiffe
Copy link
Author

Let me know if you need anything else from my side.

@LaurenceJJones
Copy link
Contributor

Let me know if you need anything else from my side.

Hi 👋🏻 we just need find time to replicate, currently we have internal projects and upcoming release of 1.6.1. If we don't have time before 1.6.1 we will dedicate time for 1.6.2

@pschiffe
Copy link
Author

pschiffe commented Mar 4, 2024

Hello, I have an update that may or may not be related. Roughly after a day or two of crowdsec running, the loki integration dies with:

time="2024-03-03T20:20:40Z" level=warning msg="loki is not available, will retry for 30s" component=lokiclient source="http://loki:3100/" type=loki
time="2024-03-03T20:21:13Z" level=error msg="loki didn't manage to recover after 30s, giving up" component=lokiclient source="http://loki:3100/" type=loki

However loki is working fine, receiving data and I can browse the logs in Grafana. After crowdsec restart, it works again for a couple of days and then dies...

Previously when it died, the metrics said that the loki acquisition read around 8 millions of lines.

@LaurenceJJones
Copy link
Contributor

Hello, I have an update that may or may not be related. Roughly after a day or two of crowdsec running, the loki integration dies with:

time="2024-03-03T20:20:40Z" level=warning msg="loki is not available, will retry for 30s" component=lokiclient source="http://loki:3100/" type=loki
time="2024-03-03T20:21:13Z" level=error msg="loki didn't manage to recover after 30s, giving up" component=lokiclient source="http://loki:3100/" type=loki

However loki is working fine, receiving data and I can browse the logs in Grafana. After crowdsec restart, it works again for a couple of days and then dies...

Previously when it died, the metrics said that the loki acquisition read around 8 millions of lines.

Hmm there is an incremental backoff features but personally I would not expect the acquisition to end if it has already made successful connections in the past since it knows the configuration is valid. 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working needs/triage version/1.6.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blotus @pschiffe @LaurenceJJones