CrowdSecC
CrowdSecβ€’7mo ago
TornaxO7

Check if decision has been succesfully taken?

I'm really unsure if I've configured crowdsec fully functional now or not.
So 
journalctl -u sshd -e
 contains messages like this:
Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]

cscli explain --log <the log entry> --type syslog
 gives me this:
line: Jun 03 02:47:01 server sshd-session[1760286]: Connection reset by authenticating user root 45.140.17.124 port 33492 [preauth]
        β”œ s00-raw
        |       β”œ πŸ”΄ crowdsecurity/cri-logs
        |       β”œ πŸ”΄ crowdsecurity/docker-logs
        |       β”” 🟒 crowdsecurity/syslog-logs (+12 ~9)
        β”œ s01-parse
        |       β”œ πŸ”΄ LePresidente/authelia-logs
        |       β”œ πŸ”΄ LePresidente/grafana-logs
        |       β”” 🟒 crowdsecurity/sshd-logs (+6 ~1)
        β”œ s02-enrich
        |       β”œ 🟒 crowdsecurity/dateparse-enrich (+2 ~2)
        |       β”œ 🟒 crowdsecurity/geoip-enrich (+13)
        |       β”œ πŸ”΄ crowdsecurity/http-logs
        |       β”” 🟒 crowdsecurity/whitelists (unchanged)
        β”œ-------- parser success 🟒
        β”œ Scenarios
                β”œ 🟒 crowdsecurity/ssh-bf
                β”œ 🟒 crowdsecurity/ssh-bf_user-enum
                β”œ 🟒 crowdsecurity/ssh-slow-bf
                β”” 🟒 crowdsecurity/ssh-slow-bf_user-enum

so the parses seem to detect (if I'm interpreting the output right) that this is an attack.
However, if I do 
nft list ruleset | grep '45.140.17.124
 I can't find an entry of it. Also I can't find a new alert entry in 
cscli alerts list
. What could I've been doing wrong?
Was this page helpful?