C
CrowdSec9mo ago
looterino

Ban all IPs parsed from a specific acquisition

I'm trying to find the best way to create a trigger scenario where all detected IPs from aquis.d/myacquis.yaml, that collects nginx logs, are banned. What's the cleanest way to achieve that? Should I add a label in the aquisition file and create a scenario where I filter by that? I'm reading the documentation and watching academy videos, but I would appreciate a syntax kickstart, thank you
5 Replies
CrowdSec
CrowdSec9mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus9mo ago
Hello, yes adding a custom label in the acquisition is probably the best way to do this. The acquisition would look like this: 
filenames:
 - /path/to/nginx.log
labels:
 type: nginx # needed for the nginx parser
 alwaysban: true # we are going to use this in our scenario
filenames:
 - /path/to/nginx.log
labels:
 type: nginx # needed for the nginx parser
 alwaysban: true # we are going to use this in our scenario
Then your scenario will be like this: 
type: trigger
format: 2.0
name: my/customscenario # replace this
description: "always ban those IPs" # replace this
filter: evt.Line.Labels.alwaysban == "true"
groupby: evt.Meta.source_ip
blackhole: "1m" # to avoid spamming alerts
labels:
 remediation: true
type: trigger
format: 2.0
name: my/customscenario # replace this
description: "always ban those IPs" # replace this
filter: evt.Line.Labels.alwaysban == "true"
groupby: evt.Meta.source_ip
blackhole: "1m" # to avoid spamming alerts
labels:
 remediation: true
what's your use case ? There might be better ways to achieve what you want to do
looterino
looterinoOP9mo ago
thank you blotus, I came to a similar conclusion but filtering by log file, so I can avoid adding a label filter: | evt.Meta.datasource_path == '/path/to/.log' my use case is a log file where multiple nginx server stores specific log in, basically another webserver side filter, customized in the nginx configuration. I prefer this way, at least for now, instead of filtering all logs in crowdsec, because I just started learning crowdsec and I'm migrating from an old custom script solution (that parse the log files too, a really dumb version of crowdsec that did not exist at time 😁 ) that's is in production I have one more question: I have multiple type: nginx acquisition, can I restrict the default nginx parser to a specific acquisition and have another nginx parser tied to another acquisition?
blotus
blotus9mo ago
you mean using a custom nginx parser and the one we provide ? If so, yes, you will just have to change the type in the acquisition (nginx-custom for example) and filter on that in your custom parser
iiamloz
iiamloz9mo ago
You should be able as well to get the actual file from the event also, I can't remember the key of the top of my head.

Did you find this page helpful?