Vaultwarden: `cscli explain` matches, but `metrics` disagree
I'm trying to integrate this collection: https://app.crowdsec.net/hub/author/Dominic-Wagner/collections/vaultwarden. I've hit the login endpoint with bad user info hundreds of time and see logs like the following.
From
line: [TIMESTAMP][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 111.111.111.111. Username: user@example.com.
β s00-raw
| β
crowdsecurity/cri-logs
| β crowdsecurity/docker-logs
| β crowdsecurity/syslog-logs
| β
crowdsecurity/non-syslog (+5 ~8)
β s01-parse
| β crowdsecurity/sshd-logs
| β Dominic-Wagner/vaultwarden-logs (+7 ~3)
β s02-enrich
| β crowdsecurity/dateparse-enrich (+2 ~2)
| β crowdsecurity/geoip-enrich (+13)
| β crowdsecurity/public-dns-allowlist (unchanged)
| β crowdsecurity/whitelists (unchanged)
β-------- parser success
β Scenarios
β Dominic-Wagner/vaultwarden-bf
β Dominic-Wagner/vaultwarden-bf_user-enum
As you can see the logs match the expected format, but when I run
Source: file:/logs/vaultwarden.log
Lines read: 1.51k
Lines parsed: 3
Lines unparsed: 1.51k
Lines to bucket: 5
Whitelisted: -
Parser: Dominic-Wagner/vaultwarden-logs
Hits: 1.51k
Parsed: 3
Unparsed: 1.51k
Child parser:
Hits: 6.03k
Parsed: 3
Unparsed: 6.03k
Scenario: vaultwarden-bf
Instantiated: 2
Poured: 3
Expired: 2
Scenario: vaultwarden-bf_user-enum
Instantiated: 2
Poured: 2
Expired: 2
Help!? Why aren't the scenarios gaining hits?
From
cscli explain --file /logs/vaultwarden.log --type Vaultwardenline: [TIMESTAMP][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 111.111.111.111. Username: user@example.com.
β s00-raw
| β
crowdsecurity/cri-logs| β
crowdsecurity/docker-logs| β
crowdsecurity/syslog-logs| β
crowdsecurity/non-syslog (+5 ~8)β s01-parse
| β
crowdsecurity/sshd-logs| β
Dominic-Wagner/vaultwarden-logs (+7 ~3)β s02-enrich
| β
crowdsecurity/dateparse-enrich (+2 ~2)| β
crowdsecurity/geoip-enrich (+13)| β
crowdsecurity/public-dns-allowlist (unchanged)| β
crowdsecurity/whitelists (unchanged)β-------- parser success
β Scenarios
β
Dominic-Wagner/vaultwarden-bfβ
Dominic-Wagner/vaultwarden-bf_user-enumAs you can see the logs match the expected format, but when I run
cscli metricsSource: file:/logs/vaultwarden.log
Lines read: 1.51k
Lines parsed: 3
Lines unparsed: 1.51k
Lines to bucket: 5
Whitelisted: -
Parser: Dominic-Wagner/vaultwarden-logs
Hits: 1.51k
Parsed: 3
Unparsed: 1.51k
Child parser:
Hits: 6.03k
Parsed: 3
Unparsed: 6.03k
Scenario: vaultwarden-bf
Instantiated: 2
Poured: 3
Expired: 2
Scenario: vaultwarden-bf_user-enum
Instantiated: 2
Poured: 2
Expired: 2
Help!? Why aren't the scenarios gaining hits?
Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.
