Getting hostname in notification in a distributed setup

I have been playing around with my crowdsec alerts trying to get the hostname for the attacked system in my notification. I have been doing some research and have gotten some results but it always returns the name of the machine running the LAPI. The way to do this differs depending on the OS the LAPI is running on and it doesnt seem to be documented clearly? ie

env "HOST"

env "HOST"

for freebsd,

env "HOST_HOSTNAME"

env "HOST_HOSTNAME"

for docker, and

{{ Hostname }}

{{ Hostname }}

for Windows. (All of those variables are already built in and do not have to be added)

In a distributed setup, is the only way to get the actual host being attacked name using a lookup table based on the Machine property in the alert?

Below is a snippit of my discord.yaml:

        "fields": [
              {{if env "HOST" -}} #opnsense
              {
                "name": "Hostname",
                "value": "`{{ env "HOST" }}`",
                "inline": "true"
              },
              {{else if env "HOST_HOSTNAME" -}} #docker
              {
                "name": "Hostname",
                "value": "`{{ env "HOST_HOSTNAME" }}`",
                "inline": "true"
              },
              {{else if Hostname -}} #windows
              {
                "name": "Hostname",
                "value": "`{{ Hostname }}`",
                "inline": "true"
              },

        "fields": [
              {{if env "HOST" -}} #opnsense
              {
                "name": "Hostname",
                "value": "`{{ env "HOST" }}`",
                "inline": "true"
              },
              {{else if env "HOST_HOSTNAME" -}} #docker
              {
                "name": "Hostname",
                "value": "`{{ env "HOST_HOSTNAME" }}`",
                "inline": "true"
              },
              {{else if Hostname -}} #windows
              {
                "name": "Hostname",
                "value": "`{{ Hostname }}`",
                "inline": "true"
              },

CrowdSec•4mo ago•

20 replies

Willpower

Getting hostname in notification in a distributed setup

env "HOST"

env "HOST"

for freebsd,

env "HOST_HOSTNAME"

env "HOST_HOSTNAME"

for docker, and

{{ Hostname }}

{{ Hostname }}

        "fields": [
              {{if env "HOST" -}} #opnsense
              {
                "name": "Hostname",
                "value": "`{{ env "HOST" }}`",
                "inline": "true"
              },
              {{else if env "HOST_HOSTNAME" -}} #docker
              {
                "name": "Hostname",
                "value": "`{{ env "HOST_HOSTNAME" }}`",
                "inline": "true"
              },
              {{else if Hostname -}} #windows
              {
                "name": "Hostname",
                "value": "`{{ Hostname }}`",
                "inline": "true"
              },

        "fields": [
              {{if env "HOST" -}} #opnsense
              {
                "name": "Hostname",
                "value": "`{{ env "HOST" }}`",
                "inline": "true"
              },
              {{else if env "HOST_HOSTNAME" -}} #docker
              {
                "name": "Hostname",
                "value": "`{{ env "HOST_HOSTNAME" }}`",
                "inline": "true"
              },
              {{else if Hostname -}} #windows
              {
                "name": "Hostname",
                "value": "`{{ Hostname }}`",
                "inline": "true"
              },

Getting hostname in notification in a distributed setup

Similar Threads

Getting hostname in notification in a distributed setup

Similar Threads

Similar Threads

Similar Threads