C
CrowdSec2mo ago
nferch

postoverflows and 1.6.10

Have been trying to figure out why my custom postoverflow doesn't work on 1.6.10. It shows in the log as being loaded (as it does in 1.6.9) but doesn't have any effect or debug output. I've noticed that the 1.6.10 container by default includes CDN and SEO whitelist nodes but don't see how those could interfere.
7 Replies
CrowdSec
CrowdSec2mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz2mo ago
if you could provide some information / maybe even the snippet of the postoverflow like: - File location - Logs - Do you see any debug if you set debug: true within the yaml
nferch
nferchOP2mo ago
in the log I can see the postoverflow and debug being enabled, but it never produces any debug output: 
time="2025-07-20T23:56:22Z" level=info msg="marginal/services_allowlist_infra has debug enabled" id=dark-wood
time="2025-07-20T23:56:22Z" level=debug msg="adding expression evt.Overflow.Alert.Source.IP in File(\"infra_allowlist.txt\") to whitelists" id=dark-wood name=marginal/services_allowlist_infra stage=s01-whitelist
time="2025-07-20T23:56:22Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelist/infra-allowlist.yaml stage=s01-whitelist
time="2025-07-20T23:56:22Z" level=info msg="marginal/services_allowlist_infra has debug enabled" id=dark-wood
time="2025-07-20T23:56:22Z" level=debug msg="adding expression evt.Overflow.Alert.Source.IP in File(\"infra_allowlist.txt\") to whitelists" id=dark-wood name=marginal/services_allowlist_infra stage=s01-whitelist
time="2025-07-20T23:56:22Z" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelist/infra-allowlist.yaml stage=s01-whitelist
the postoverflow itself is very simple, essentially: 
data:
  - source_url:
    dest_file: infra_allowlist.txt
    type: string
whitelist:
  reason: "well-known IP ranges"
  expression:
    - evt.Overflow.Alert.Source.IP in File("infra_allowlist.txt")
data:
  - source_url:
    dest_file: infra_allowlist.txt
    type: string
whitelist:
  reason: "well-known IP ranges"
  expression:
    - evt.Overflow.Alert.Source.IP in File("infra_allowlist.txt")
it has a filter that scopes it to certain scenarios, but even if I remove that completely it still isn't triggered the logs on startup on 1.6.9 are nearly identical, but it triggers and generates debug logging: 
time="2025-07-20T23:52:17Z" level=debug msg="dbg(result=true): evt.Overflow.Alert.Source.IP in File(\"infra_allowlist.txt\")" id=wandering-field name=marginal/services_allowlist_infra stage=s01-whitelist
time="2025-07-20T23:52:17Z" level=debug msg="dbg(result=true): evt.Overflow.Alert.Source.IP in File(\"infra_allowlist.txt\")" id=wandering-field name=marginal/services_allowlist_infra stage=s01-whitelist
iiamloz
iiamloz2mo ago
whilst I test, if you run cscli metrics you dont see your postoverflow in metrics anywhere? cause on my 1.6.10 it shows the postoverflows all there, however, I guess the snippet you shown was not the full file as it expects a name and description. here my debug logs 
time="2025-07-22T07:27:51+01:00" level=info msg="my/po_whitelist has debug enabled" id=holy-brook
time="2025-07-22T07:27:51+01:00" level=debug msg="adding expression evt.Overflow.Alert.Source.IP in File(\"my_whitelist.txt\")\n to whitelists" id=holy-brook name=my/po_whitelist stage=s01-whitelist
time="2025-07-22T07:27:51+01:00" level=debug msg="dbg(result=true): evt.Overflow.Alert.Source.IP in File(\"my_whitelist.txt\")" id=holy-brook name=my/po_whitelist stage=s01-whitelist
time="2025-07-22T07:27:51+01:00" level=debug msg=" [File(\"my_whitelist.txt\")] File(\"my_whitelist.txt\") = [192.168.1.1]" id=holy-brook name=my/po_whitelist stage=s01-whitelist
time="2025-07-22T07:27:51+01:00" level=debug msg=" [in File(\"my_whitelist.txt\")] \"192.168.1.1\" in [192.168.1.1] -> true" id=holy-brook name=my/po_whitelist stage=s01-whitelist
time="2025-07-22T07:27:51+01:00" level=info msg="my/po_whitelist has debug enabled" id=holy-brook
time="2025-07-22T07:27:51+01:00" level=debug msg="adding expression evt.Overflow.Alert.Source.IP in File(\"my_whitelist.txt\")\n to whitelists" id=holy-brook name=my/po_whitelist stage=s01-whitelist
time="2025-07-22T07:27:51+01:00" level=debug msg="dbg(result=true): evt.Overflow.Alert.Source.IP in File(\"my_whitelist.txt\")" id=holy-brook name=my/po_whitelist stage=s01-whitelist
time="2025-07-22T07:27:51+01:00" level=debug msg=" [File(\"my_whitelist.txt\")] File(\"my_whitelist.txt\") = [192.168.1.1]" id=holy-brook name=my/po_whitelist stage=s01-whitelist
time="2025-07-22T07:27:51+01:00" level=debug msg=" [in File(\"my_whitelist.txt\")] \"192.168.1.1\" in [192.168.1.1] -> true" id=holy-brook name=my/po_whitelist stage=s01-whitelist
nferch
nferchOP2mo ago
so with 1.6.10 my postoverflow shows up in cscli metrics but only with 1 hit/parsed
bui
bui2mo ago
@nferch if it's "just" to allow specific IP / ranges, you should have a look at the allowlist feature (via cscli allowlists or directly via the console). It handles expiration etc.
nferch
nferchOP2mo ago
yeah, have been meaning to look at that although my use case is a bit weird, no ban just an alert

Did you find this page helpful?