C
CrowdSec2mo ago
Willpower

Getting hostname in notification in a distributed setup

I have been playing around with my crowdsec alerts trying to get the hostname for the attacked system in my notification. I have been doing some research and have gotten some results but it always returns the name of the machine running the LAPI. The way to do this differs depending on the OS the LAPI is running on and it doesnt seem to be documented clearly? ie env "HOST" for freebsd, env "HOST_HOSTNAME" for docker, and {{ Hostname }} for Windows. (All of those variables are already built in and do not have to be added) In a distributed setup, is the only way to get the actual host being attacked name using a lookup table based on the Machine property in the alert? Below is a snippit of my discord.yaml: 
        "fields": [
              {{if env "HOST" -}} #opnsense
              {
                "name": "Hostname",
                "value": "`{{ env "HOST" }}`",
                "inline": "true"
              },
              {{else if env "HOST_HOSTNAME" -}} #docker
              {
                "name": "Hostname",
                "value": "`{{ env "HOST_HOSTNAME" }}`",
                "inline": "true"
              },
              {{else if Hostname -}} #windows
              {
                "name": "Hostname",
                "value": "`{{ Hostname }}`",
                "inline": "true"
              },
        "fields": [
              {{if env "HOST" -}} #opnsense
              {
                "name": "Hostname",
                "value": "`{{ env "HOST" }}`",
                "inline": "true"
              },
              {{else if env "HOST_HOSTNAME" -}} #docker
              {
                "name": "Hostname",
                "value": "`{{ env "HOST_HOSTNAME" }}`",
                "inline": "true"
              },
              {{else if Hostname -}} #windows
              {
                "name": "Hostname",
                "value": "`{{ Hostname }}`",
                "inline": "true"
              },
13 Replies
CrowdSec
CrowdSec2mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus2mo ago
The template is evaluated by the LAPI, so you'll always get the LAPI hostname, we don't expose the actual log processor hostname anywhere (we do not even collect it to add it in the alert), the closest thing is the machine name. And FYI, The Hostname helper (that you use for windows) should work for any OS
Willpower
WillpowerOP2mo ago
{{ Hostname }} works on docker but it returns the hostname of the container and not the hostname of the machine the container is running on. ex below
Willpower
WillpowerOP2mo ago
No description
blotus
blotus2mo ago
that's expected. By default, a container has no way of knowing the host hostname, unless passed explicitly through an env var or something
Willpower
WillpowerOP2mo ago
but yea, thats sadly what i was expecting to hear from my testing. Do you have any kind of template on hand or guidance for the lookup table to convert machine name to a hostname? from what i could tell env "HOST_HOSTNAME" was built in because its not in my compose. i also didnt see it on the docker hub it was just there, unless unraid adds it or something?
blotus
blotus2mo ago
I think the easiest way would be to change the names of your machines in crowdsec to have them match the hostname. Renaming a machine is not supported, so you'll need to generate new credentials. On the log processors: cscli lapi register --machine <NAME> --url http://IP:PORT_TO_LAPI Then on the LAPI (for each machine): 
cscli machines validate <NAME>
cscli machines validate <NAME>
AFAIK, we don't add it ourselves, so yeah could be unraid doing it for you
Willpower
WillpowerOP2mo ago
how do i change the machine name on the lapi machine? i saw it can be done with a docker env variable but in my case my lapi runs on opnsense (freebsd) i saw the local creds file but it blew up when i changed the login there iirc
blotus
blotus2mo ago
on the LAPI, you can just do cscli machines add <NAME>, it will overwrite by default the credentials files for the LAPI
Willpower
WillpowerOP2mo ago
oh interesting thanks for the help ill try this all out soon ill also have to modify the config for the remediation components too once I change the lapi machine name wont i?
blotus
blotus2mo ago
and just to explain a bit further. They are 2 ways to add machines in LAPI: - cscli lapi register ... + cscli machines validate : the machine will register itself on LAPI, then you need to validate the registration (there are ways to automate this (see here for an example https://docs.crowdsec.net/u/user_guides/multiserver_setup/#lapi) - cscli machines add ...: This command can only be run on LAPI, and will add the machine directly in the database. By default, this will overwrite the credentials file of the LAPI, so if you want to add all your machines like this, you'll need to pass -f - to have the credentials written to stdout
About multi-server setup | CrowdSec
Introduction
blotus
blotus2mo ago
Nope, no need
Willpower
WillpowerOP2mo ago
Thanks for the help! Now my alerts are super fancy lol
No description

Did you find this page helpful?