Vaultwarden: `cscli explain` matches, but `metrics` disagree
I'm trying to integrate this collection: https://app.crowdsec.net/hub/author/Dominic-Wagner/collections/vaultwarden. I've hit the login endpoint with bad user info hundreds of time and see logs like the following.
From
cscli explain --file /logs/vaultwarden.log --type Vaultwarden:
line: [TIMESTAMP][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 111.111.111.111. Username: user@example.com.
β s00-raw
| β π΄ crowdsecurity/cri-logs
| β π΄ crowdsecurity/docker-logs
| β π΄ crowdsecurity/syslog-logs
| β π’ crowdsecurity/non-syslog (+5 ~8)
β s01-parse
| β π΄ crowdsecurity/sshd-logs
| β π’ Dominic-Wagner/vaultwarden-logs (+7 ~3)
β s02-enrich
| β π’ crowdsecurity/dateparse-enrich (+2 ~2)
| β π’ crowdsecurity/geoip-enrich (+13)
| β π’ crowdsecurity/public-dns-allowlist (unchanged)
| β π’ crowdsecurity/whitelists (unchanged)
β-------- parser success π’
β Scenarios
β π’ Dominic-Wagner/vaultwarden-bf
β π’ Dominic-Wagner/vaultwarden-bf_user-enum
As you can see the logs match the expected format, but when I run cscli metrics, very very few lines are reported as parsed and the scenarios aren't triggered.
Source: file:/logs/vaultwarden.log
Lines read: 1.51k
Lines parsed: 3
Lines unparsed: 1.51k
Lines to bucket: 5
Whitelisted: -
Parser: Dominic-Wagner/vaultwarden-logs
Hits: 1.51k
Parsed: 3
Unparsed: 1.51k
Child parser:
Hits: 6.03k
Parsed: 3
Unparsed: 6.03k
Scenario: vaultwarden-bf
Instantiated: 2
Poured: 3
Expired: 2
Scenario: vaultwarden-bf_user-enum
Instantiated: 2
Poured: 2
Expired: 2
Help!? Why aren't the scenarios gaining hits?Collections, AppSec Rules & Configurations | CrowdSec Hub
Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.
1 Reply
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
Β© Created By WhyAydan for CrowdSec β€οΈ