Service machine won't connect to LAPI
Hi all
Here the setup:
Standalone Crowdsec server: This server is the LAPI which should take in logs from services, and take decisions from the logs.
NGINX Reverse Proxy: Has bouncer which is connected successfully to the LAPI, but when i run the crowdsec service on this machine and point it to the LAPI, i get this error when it tries to boot the crowdsec service. The NGINX reverse proxy and the crowdsec services run in docker. It's the NPMPlus package, that has crowdsec built in.
Error: no matches found
Generate local agent credentials
level=warning msg="crowdsec local API is disabled because 'enable' is set to false"
Error: local API is disabled -- this command must be run on the local API machine
36 Replies
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type
/unresolve© Created By WhyAydan for CrowdSec ❤️
i've followed this guide, but i keep stumbling into the same issue: https://www.crowdsec.net/blog/multi-server-setup
Setting up A Multi-Server Security Engine Installation
Learn how to deploy multiple Security Engines in a multi-server setup with one of the servers configured to store and share the collected signals.
Resolving Service machine won't connect to LAPI
This has now been resolved. If you think this is a mistake please run
/unresolve@BoinQHow did you resolve this? I have the same exact issue
so on the crowdsec machine (not log parser sitting on NGINX), you register the IP of the log parser
i have the opnsense box (LAPI) and my unraid box with crowdsec in docker and npmplus in another docker. I registered the crowdsec docker (log parser) to the opnsense lapi. I validated the machine on the lapi but the docker cant connect. after turning off the lapi on the docker it wont start and i get the same errors in the logs.
Ive been watching the live firewall on opnsense and i dont see anything being blocked
(i am later going to join npmplus as a remediation component to the lapi but i havent done that yet.)
on another network i have the opposite setup. the lapi still runs on docker and the opnsense box was added as a log parser. That all works fine. I am wanting to reverse this for my other setup and im running into these problems
this is how my crowdsec config looks like on the nginx machine (log parser)
does the api section look the same for you?
the only difference i see besides mine having some extra stuff under server is insecure_skip_verify was set to false
looks like it's set to listen, if this is the log parser, (the one that reads from opensense's logs), to my knowledge it should only have
api:
enable: false
otherwise it will run it as a server. But i'm no expert at this, so take it with a grain of salt
oh sorry that was false earlier, i had to renable it so it would start again
the docker would just crash over and over with server enable: false
in local_api_credentials.yaml on the log parser, was the url and login automatically set with the
cscli lapi register command?i just checked my local api credentials file on the log parser, and that file doesn't even exist, so i dont even think that part is needed
interesting...
are you running the log parser in docker?
or just npmplus in docker
so i have NpmPlus running in it's own LXC on Proxmox, and in that LXC, NGINX and Crowdsec runs in docker. And then the crowdsec standalone runs in yet another LXC
it's overkill to do it this way, but i was planning on adding more log parsers and bouncers in the future, that's why i did it this way
this is my config for the crowdsec standalone that takes all the decisions, here you can see the api part having the listener
that looks basically the same as mine besides the fact you added more trusted_ips. maybe thats the issue. im going to play around with it, it seems this person has the same issue as well https://discord.com/channels/921520481163673640/1370315909830414416/1370315909830414416
closer to my setup with opnsense being the lapi
i believe what did it for me was removing everything under "server:" and just having "enable: false". It was a while ago, but i was fighting with it for hours, and it was the same issue with that error you had. Feel free to DM me, i'll try and help however i can
thanks man. Ill hit you up if i get to completely stuck. im going to play around with it. it took me forever to get it figured out my first goround. i really wasnt expecting it to kick my ass like this again for this second setup lol
yea it took me quite a while to figure out the ins and outs of crowdsec too, i will suggest thoroughly reading this https://www.crowdsec.net/blog/multi-server-setup
Setting up A Multi-Server Security Engine Installation
Learn how to deploy multiple Security Engines in a multi-server setup with one of the servers configured to store and share the collected signals.
another thing to keep an eye on is how much RAM your log parser eats, because i've had it flood my LXC with giant logs file making it choke the life out of my NGINX, if you get that issue then this is your fix
the logging section
im thinking this maybe an opnsense/firewall related issue. it doesnt look like its even trying to use the api key
is x.x.20.1 your opensense firewall? and x.x.20.4 your crowdsec machine?
yep
then it looks like the opensense is connected to the crowdsec machine, last heartbeat was 44 seconds ago
opnsense is running crowdsec and is acting as the lapi
its a plugin for it
the 20.4 machine is a docker server and going to be a log parser
ive also been working on building a proxmox box so i want to be able to attack it to the opnsense lapi as well
ooh right right, then yea it's not connecting then
i had to make a firewall rule on the lan interface to even let me use the register command on the log parser
nothing else is being blocked from that pc tho
yea i dont know much about opensense, perhaps it's actually blocking the connection
tho the error you posted earlier seems like the same issue i had
yea, that other support post i linked was a guy doing the same thing im doing but seemed to be using a custom local creds file for some reason instead of the default
his lapi was on opnsense
he never fixed it i dont think
hmm yea, i'm not quite sure at this point, all i can really suggest is trying to fiddle around with it, reference my configs hopefully they can help
it could be a bug in the opnsense plugin?
ive done the opposite successfully before on my other site. ie having the opnsense crowdsec be the log parser and remediation component while the docker server runs the lapi
yea thats what im going to do, thanks for the suggestions!
i'll cross my fingers for you, hopefully you get it to work, but yea you can always try and DM me if all hope is lost
im going to see if the other guy ever figured it out
sounds good 🙂