Why does this parser do/catch nothing?
Howdy --
Just set up NPNPlus + Crowdsec as a docker stack. I tested bad logins to *arr apps and did not get bounced (bouncer is working, i can manully add my IP to the block list and get bounced).
ChatGPT said it's because of the way *arr responds to a bad log in and i needed a custom parser to catch it. I'm trying to catch this 'loginFailed=true'.
Parser is here: ./parsers/s01-parse/LoginFailedTrue.yaml.
Content:
name: local/LoginFailedTrue
description: "Detect Sonarr/Radarr failed logins from NPMplus logs"
stage: s01-parse
#debug: true
onsuccess: next_stage
nodes:
- grok:
apply_on: Line.Raw
pattern: '%{DATA}loginFailed=true%{DATA}'
statics:
- meta: log_type
value: LoginFailedTrue
- meta: service
value: arr-suite
But it just doesn't seem to match anyhting! You can see here it is installed and being applied against logs, but 0 hits (even though I have done failed log ins and can see lines in the access.logs when I look)
$docker exec -it crowdsec cscli parsers inspect local/LoginFailedTrue
type: parsers
stage: s01-parse
name: local/LoginFailedTrue
file_name: LoginFailedTrue.yaml
dependencies: {}
local_path: /etc/crowdsec/parsers/s01-parse/LoginFailedTrue.yaml
downloadpath: ""
up_to_date: true
tainted: false
installed: true
local: true
Current metrics:
│ (Parser) local/LoginFailedTrue
│ Parsers │ Hits │ Parsed │ Unparsed │ │ appsec:appsec │ 3 │ 0 │ 3 │ │ file:/opt/npmplus/nginx/access.log │ 2154 │ 0 │ 2154 │ │ file:/opt/npmplus/nginx/error.log │ 179 │ 0 │ 179 │ ChatGPT is no help here and I can't find documentaiton that seems to cover this. Can anyone help?
│ Parsers │ Hits │ Parsed │ Unparsed │ │ appsec:appsec │ 3 │ 0 │ 3 │ │ file:/opt/npmplus/nginx/access.log │ 2154 │ 0 │ 2154 │ │ file:/opt/npmplus/nginx/error.log │ 179 │ 0 │ 179 │ ChatGPT is no help here and I can't find documentaiton that seems to cover this. Can anyone help?
2 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
So you never want to create a
s01 parser (unless it a completely new application that we dont have on the hub) because those are already made for applications such as NPMPlus, so creating a s01 will most likely cause all other log lines to become unparsed.
What you want to do is create a scenario based on the information which is parsed from the npmplus parser. if you run cscli explain --log "<log line>" --type npmplus -v it will show you all of the variable you have access too.