how to get notification variables
I'm trying to wrap my head around the syntax of notification variables, please be patient
"title": "{{.Type }} {{ .Value }} for {{.Duration}}",
I was reading this documentation but I do not understand how to map the parsed values to the notification variables, in order to create custom messages, can someone please show me some example?
like what if I want to add evt.Meta.IsoCode value?
thank you36 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
So from the current template the section you shown my guess is within a
{{range .Decisions}} this means in the current context you can only access variables from the Decisions struct.
If you want to be able to use .Source within the same scope you have to assign a template variable above for example:
We do this in the slack example https://docs.crowdsec.net/docs/next/local_api/notification_plugins/slack but we check if the Cn exists firstly or put a pirate emoji as this can be empty.Slack Plugin | CrowdSec
The slack plugin is by default shipped with your CrowdSec installation. The following guide shows how to enable it.
If it any use I created this ages ago, needs updating but its an online template tester https://ctt.laurencejones.dev/
so for example my snippet shows the following
that's an awesome tool, thank you! I'll deep dive and let you know
We also have https://playground.crowdsec.net/#/notifications (which is also a work in progress).
You can get the JSON for an alert by running
cscli alerts inspect ALERT_ID | jq -c '[.]' (the jq is here to turn a single alert into an array).
This version also supports the custom templating helpers that crowdsec exposes if you have a more complex template.Crowdsec Playground
Crowdsec Playground
And in your case, to get metas from an alert, you'll likely want to use the
GetMeta helper https://docs.crowdsec.net/docs/next/local_api/notification_plugins/template_helpers#getmetaalert-keyTemplating helpers | CrowdSec
In order to simplify some operation in the templates, we provide some custom helpers.
Unknown User•9mo ago
Message Not Public
Sign In & Join Server To View
from the playground ?
You can't, it's go executing in your browser through WASM, so we don't have access to the environment (we could probably cheat by having you provide them and then faking the environment, but I'm not even sure WASM has a notion of environment variables)
best thing you can do would be to manually replace the call to getenv with some hardcoded value
I had some time to be back on this in these holidays and I integrated successfully the country in my gotify instance ✨
edit: is possible to get the country full name instead of the ISO code?
also I'm now trying to show the nginx $http_referer log variable in the message part of the notification, but I can't see it's key/value in the alert context field, is that feasible?
I successfully created a custom version of nginx parser, basically adding
- meta: http_referer
expression: "evt.Parsed.http_referer"
to /etc/crowdsec/config/parsers/s01-parse/custom/nginx-logs.yaml.
through cscli explain I can see my custom parser being used succesfully to generate an alert (and ban my test device) but I can't see the http_referer with alert inspect, how can I recall it in my notification? because using {{ evt.Parsed.http_referer }} is not workingso
meta attributes on per event basis are transformed into Alert.Events which is an slice of Events (https://pkg.go.dev/github.com/crowdsecurity/crowdsec@master/pkg/models#Event) so depending on your current template it may need some variable setting before handmy current template is
format: |
{{ range . -}}
{{ $alert := . -}}
{
"extras": {
"client::display": {
"contentType": "text/markdown"
}
},
"priority": 3,
{{range .Decisions -}}
"title": "{{.Type }} {{ .Value }} from {{ $alert.Source.Cn }} for {{.Duration}}",
"message": "{{.Scenario}} \n\n[crowdsec cti](https://app.crowdsec.net/cti/{{.Value -}}) \n[shodan](https://shodan.io/host/{{.Value -}}) \n[ipinfo.io](https://ipinfo.io/{{.Value -}})"
{{end -}}
}
{{ end -}}
how should I create that variable? do the transformation gets me {{ Alert.Events.http_referer }} ?
Is there a docs page that explain this kind of mapping?
sorry for all the prompt, I'm kinda lost 😫A fellow gotfiy user 😄
So, because the events is a slice you can for loop over them to get the value. However, this can be very verbose and can show duplicate data because it can have the same value.
Let me cook a little bit and see if there an easy way to get unqiue values.
chef kiss
thank you so much for your time and meanwhile have a great start of new year 🥂
so the easiest way to get variables is this
Please note if you are using
"contentType": "text/markdown" then there a risk that the http_path can contain items that get render by the markdown renderer
I put html escape there but it doesnt do anything to prevent markdown items such as Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
The alert / decisions are generated and sent to notifications before they get inserted into the database so they are always 0 AFAIK.
if you reinject the alert via
cscli notifications reinject then my guess it will have the right id'sUnknown User•8mo ago
Message Not Public
Sign In & Join Server To View
No reason, just we send the notifications as soon as the alert is generated so this just means it hasnt interacted with the database to get the incremented ID
I will create an issue so it documented and we can investigate in future if there a way to send after the fact
thank you for the help!
although when I try to use my custom meta (https://discord.com/channels/921520481163673640/1318537393896423454/1323033513846378556) it will print nothing after ipinfo line, where I lost it?
Did the alert you generate get the meta data if you use
cscli alerts inspect -d <id> you should see all meta data that was saved.you mean in the context section of alert inspect output? it's not there, what could be the culprit?
is your custom nginx parser the only nginx parser?
there's the default one too, from the crowdsecurity hub, but shouldn't be overrided? with cscli explain I can see my custom parser being used succesfully, even if not all the times
there's a way to use only the custom one?
yeah just remove the official one via
cscli parsers remove but does is custom mostly copy and paste of the official just with the refferer added? if so we could just move it to an enricher?this is exactly what I did, I'll try to move it to an enricher, thank you for the help, appreciated
You just need to create a very blank enricher such as
if
evt.Parsed.http_referer returns nothing then the enricher is not acted upon
this can be added to /etc/crowdsec/parsers/s02-enrich/my-enricher.yaml
but this does mean you need to remove your custom parser in s01-parse so the official is the main one.I indeed removed the parser and created an enricher, did a ban test and with explain I can see the enricher being used but then on alert inspection I don't see the meta data
the
context is different, if you run with -d do you still not see it?there it is!
so I need to specify a different context in the notification configuration right?
As long as your using my template above and changing
"http_path" to "http_referer" it should be added to your notifications.what if I would to keep
"http_path" too? can I add it like this or I have to use some kind of separator?
\n\n{{range GetMeta $alert "http_path" "http_referer" -}}{{ . | HTMLEscape }}\n\n{{ end -}}it only accepts a single argument, so you would have to duplicate the range loop
Unknown User•8mo ago
Message Not Public
Sign In & Join Server To View
GitHub
[database ids] Alert and Decisions · Issue #3409 · crowdsecurity/cr...
Currently we send alerts to the notification channel before they are inserted into the database this means the ID of the Alert and Decision are always 0 as they are INT this is the default value. S...