CrowdSec does not start

transocean · April 7, 2024, 7:15pm

CrowdSec runs normally after restart and is down again after reboot the machine.

2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/postfix-logs.yaml stage=s01-parse
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml stage=s01-parse
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/proftpd-logs.yaml stage=s01-parse
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=warning msg="grok 'NGCUSTOMUSER' already registred" id=withered-sky name=crowdsecurity/traefik-logs stage=s01-parse
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/traefik-logs.yaml stage=s01-parse
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/vsftpd-logs.yaml stage=s01-parse
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/nextcloud-whitelist.yaml stage=s02-enrich
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/whitelists.yaml stage=s02-enrich
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 22 nodes from 3 stages"
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loading postoverflow parsers"
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s00-enrich/rdns.yaml stage=s00-enrich
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelist/cdn-whitelist.yaml stage=s01-whitelist
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/postoverflows/s01-whitelist/seo-bots-whitelist.yaml stage=s01-whitelist
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 3 nodes from 2 stages"
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loading 49 scenario files"
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=bold-frog file=/etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml name=crowdsecurity/fortinet-cve-2018-13379
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=solitary-lake file=/etc/crowdsec/scenarios/CVE-2022-41697.yaml name=crowdsecurity/CVE-2022-41697
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=ancient-smoke file=/etc/crowdsec/scenarios/CVE-2022-42889.yaml name=crowdsecurity/CVE-2022-42889
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=young-frost file=/etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml name=crowdsecurity/apache_log4j2_cve-2021-44228
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=crimson-forest file=/etc/crowdsec/scenarios/http-cve-2021-41773.yaml name=crowdsecurity/http-cve-2021-41773
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=spring-dream file=/etc/crowdsec/scenarios/http-wordpress_user-enum.yaml name=crowdsecurity/http-wordpress_user-enum
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=red-darkness file=/etc/crowdsec/scenarios/CVE-2019-18935.yaml name=crowdsecurity/CVE-2019-18935
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=proud-night file=/etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml name=crowdsecurity/http-bf-wordpress_bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=empty-bird file=/etc/crowdsec/scenarios/http-probing.yaml name=crowdsecurity/http-probing
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=floral-water file=/etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml name=crowdsecurity/thinkphp-cve-2018-20062
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=red-frost file=/etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml name=crowdsecurity/vmware-vcenter-vmsa-2021-0027
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=frosty-field file=/etc/crowdsec/scenarios/postfix-spam.yaml name=crowdsecurity/postfix-spam
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=polished-voice file=/etc/crowdsec/scenarios/postfix-spam.yaml name=crowdsecurity/postscreen-rbl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=crimson-snow file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=crowdsecurity/http-generic-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=spring-bush file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=LePresidente/http-generic-401-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=cold-night file=/etc/crowdsec/scenarios/http-generic-bf.yaml name=LePresidente/http-generic-403-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=morning-dawn file=/etc/crowdsec/scenarios/netgear_rce.yaml name=crowdsecurity/netgear_rce
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=falling-haze file=/etc/crowdsec/scenarios/http-sqli-probing.yaml name=crowdsecurity/http-sqli-probbing-detection
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=small-bush file=/etc/crowdsec/scenarios/vsftpd-bf.yaml name=crowdsecurity/vsftpd-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=winter-feather file=/etc/crowdsec/scenarios/CVE-2022-37042.yaml name=crowdsecurity/CVE-2022-37042
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=purple-dew file=/etc/crowdsec/scenarios/http-cve-2021-42013.yaml name=crowdsecurity/http-cve-2021-42013
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=snowy-cloud file=/etc/crowdsec/scenarios/CVE-2022-35914.yaml name=crowdsecurity/CVE-2022-35914
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=silent-sun file=/etc/crowdsec/scenarios/pgsql-bf.yaml name=crowdsecurity/pgsql-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=fragrant-violet file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=wandering-bush file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=muddy-violet file=/etc/crowdsec/scenarios/http-w00tw00t.yaml name=ltsich/http-w00tw00t
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=shy-snowflake file=/etc/crowdsec/scenarios/http-path-traversal-probing.yaml name=crowdsecurity/http-path-traversal-probing
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=billowing-forest file=/etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml name=crowdsecurity/spring4shell_cve-2022-22965
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=white-leaf file=/etc/crowdsec/scenarios/http-crawl-non_statics.yaml name=crowdsecurity/http-crawl-non_statics
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=crimson-dream file=/etc/crowdsec/scenarios/http-xss-probing.yaml name=crowdsecurity/http-xss-probbing
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=divine-bush file=/etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml name=crowdsecurity/vmware-cve-2022-22954
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=empty-butterfly file=/etc/crowdsec/scenarios/http-backdoors-attempts.yaml name=crowdsecurity/http-backdoors-attempts
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=lively-silence file=/etc/crowdsec/scenarios/http-open-proxy.yaml name=crowdsecurity/http-open-proxy
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=dawn-grass file=/etc/crowdsec/scenarios/jira_cve-2021-26086.yaml name=crowdsecurity/jira_cve-2021-26086
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=muddy-fire file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=red-leaf file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=floral-leaf file=/etc/crowdsec/scenarios/CVE-2022-44877.yaml name=crowdsecurity/CVE-2022-44877
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=bold-fire file=/etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml name=crowdsecurity/http-wordpress_wpconfig
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=still-hill file=/etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=summer-river file=/etc/crowdsec/scenarios/CVE-2023-22515.yaml name=crowdsecurity/CVE-2023-22515
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=shy-hill file=/etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml name=crowdsecurity/f5-big-ip-cve-2020-5902
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=lively-firefly file=/etc/crowdsec/scenarios/http-bad-user-agent.yaml name=crowdsecurity/http-bad-user-agent
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=solitary-dew file=/etc/crowdsec/scenarios/CVE-2022-26134.yaml name=crowdsecurity/CVE-2022-26134
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=morning-water file=/etc/crowdsec/scenarios/http-sensitive-files.yaml name=crowdsecurity/http-sensitive-files
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=aged-smoke file=/etc/crowdsec/scenarios/nginx-req-limit-exceeded.yaml name=crowdsecurity/nginx-req-limit-exceeded
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=morning-dream file=/etc/crowdsec/scenarios/CVE-2022-46169.yaml name=crowdsecurity/CVE-2022-46169-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=wandering-paper file=/etc/crowdsec/scenarios/CVE-2022-46169.yaml name=crowdsecurity/CVE-2022-46169-cmd
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=little-shadow file=/etc/crowdsec/scenarios/dovecot-spam.yaml name=crowdsecurity/dovecot-spam
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=late-mountain file=/etc/crowdsec/scenarios/nextcloud-bf.yaml name=crowdsecurity/nextcloud-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=late-glade file=/etc/crowdsec/scenarios/nextcloud-bf.yaml name=crowdsecurity/nextcloud-bf_user_enum
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=autumn-breeze file=/etc/crowdsec/scenarios/nextcloud-bf.yaml name=crowdsecurity/nextcloud-bf_domain_error
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=damp-flower file=/etc/crowdsec/scenarios/proftpd-bf.yaml name=crowdsecurity/proftpd-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=wispy-resonance file=/etc/crowdsec/scenarios/proftpd-bf_user-enum.yaml name=crowdsecurity/proftpd-bf_user-enum
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=winter-wood file=/etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml name=crowdsecurity/grafana-cve-2021-43798
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=lingering-cherry file=/etc/crowdsec/scenarios/CVE-2022-41082.yaml name=crowdsecurity/CVE-2022-41082
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding leaky bucket" cfg=morning-water file=/etc/crowdsec/scenarios/mariadb-bf.yaml name=crowdsecurity/mariadb-bf
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Adding trigger bucket" cfg=dry-leaf file=/etc/crowdsec/scenarios/CVE-2022-40684.yaml name=crowdsecurity/fortinet-cve-2022-40684
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Loaded 57 scenarios"
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Starting processing data"
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=imapsync1]" src="journalctl-SYSLOG_IDENTIFIER=imapsync1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=crowdsec1]" src="journalctl-SYSLOG_IDENTIFIER=crowdsec1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=sshd.service]" src="journalctl-_SYSTEMD_UNIT=sshd.service" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=traefik1]" src="journalctl-SYSLOG_IDENTIFIER=traefik1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=mattermost1]" src="journalctl-SYSLOG_IDENTIFIER=mattermost1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=sogo1]" src="journalctl-SYSLOG_IDENTIFIER=sogo1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=mail1]" src="journalctl-SYSLOG_IDENTIFIER=mail1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=loki1]" src="journalctl-SYSLOG_IDENTIFIER=loki1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=openldap1]" src="journalctl-SYSLOG_IDENTIFIER=openldap1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=nextcloud1]" src="journalctl-SYSLOG_IDENTIFIER=nextcloud1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=collabora1]" src="journalctl-SYSLOG_IDENTIFIER=collabora1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=ldapproxy1]" src="journalctl-SYSLOG_IDENTIFIER=ldapproxy1" type=journalctl
2024-04-07T21:14:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:25" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:14:25 UTC] \"POST /v1/watchers/login HTTP/1.1 200 66.268937ms \"crowdsec/v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b\" \""
2024-04-07T21:14:28+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/3139e2ee-b861-4588-93be-8c1e5605a7e7: get-name/50get_name is starting
2024-04-07T21:14:28+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/b60c1cfe-6e45-4325-9971-c94b5269832f: get-status/20read is starting
2024-04-07T21:14:28+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/3139e2ee-b861-4588-93be-8c1e5605a7e7: action "get-name" status is "completed" (0) at step 50get_name
2024-04-07T21:14:28+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/b60c1cfe-6e45-4325-9971-c94b5269832f: action "get-status" status is "completed" (0) at step validate-output.json
2024-04-07T21:14:37+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:37" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:14:37 UTC] \"GET /v1/decisions/stream?startup=true HTTP/1.1 200 241.411505ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:14:46+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:46" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:14:46 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 7.338441ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:14:56+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:14:56" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:14:56 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 6.568629ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:15:06+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:15:06" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:15:06 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 6.48893ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:15:16+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:15:16" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:15:16 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 6.450179ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:15:25+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:15:25" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:15:25 UTC] \"GET /v1/heartbeat HTTP/1.1 200 243.234µs \"crowdsec/v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b\" \""
2024-04-07T21:15:26+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:15:26" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:15:26 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 6.548772ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:15:36+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:15:36" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:15:36 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 6.513883ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:15:46+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:15:46" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:15:46 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 6.46486ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:15:56+02:00 [1:crowdsec1:crowdsec1] time="07-04-2024 19:15:56" level=info msg="127.0.0.1 - [Sun, 07 Apr 2024 19:15:56 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 6.515092ms \"crowdsec-firewall-bouncer/v0.0.28-el9-rpm-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
2024-04-07T21:17:58+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/39305aaa-27d0-4919-836b-fbec56daa2b3: get-name/50get_name is starting
2024-04-07T21:17:58+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/0bcaa390-0164-4abb-814c-62934d851555: get-status/20read is starting
2024-04-07T21:17:58+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/39305aaa-27d0-4919-836b-fbec56daa2b3: action "get-name" status is "completed" (0) at step 50get_name
2024-04-07T21:17:59+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/0bcaa390-0164-4abb-814c-62934d851555: action "get-status" status is "completed" (0) at step validate-output.json
2024-04-07T21:18:12+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/b1ab1f8f-33c0-41d6-b921-580721208797: get-configuration/20read is starting
2024-04-07T21:18:12+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/b1ab1f8f-33c0-41d6-b921-580721208797: action "get-configuration" status is "completed" (0) at step validate-output.json
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/e972e7d8-6415-4c4a-a9e5-2a5a34ae3465: configure-module/20configure is starting
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/e972e7d8-6415-4c4a-a9e5-2a5a34ae3465: configure-module/30Enable_ban_onlocal_network is starting
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1] cscli parsers install crowdsecurity/whitelists
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1] Error: no container with name or ID "crowdsec1" found: no such container
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1]   File "/var/lib/nethserver/crowdsec1/actions/configure-module/30Enable_ban_onlocal_network", line 12, in <module>
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1] Traceback (most recent call last):
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1]     agent.run_helper("cscli", "parsers", action, "crowdsecurity/whitelists").check_returncode()
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1]   File "/usr/lib64/python3.11/subprocess.py", line 502, in check_returncode
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1] subprocess.CalledProcessError: Command '('cscli', 'parsers', 'install', 'crowdsecurity/whitelists')' returned non-zero exit status 125.
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1]     raise CalledProcessError(self.returncode, self.args, self.stdout,
2024-04-07T21:18:28+02:00 [1:crowdsec1:agent@crowdsec1] task/module/crowdsec1/e972e7d8-6415-4c4a-a9e5-2a5a34ae3465: action "configure-module" status is "aborted" (1) at step 30Enable_ban_onlocal_network

transocean · April 7, 2024, 7:47pm

For today lets have a break. Many thanks to all helpers.

dnutan · April 7, 2024, 7:54pm

OK. Uwe. Good night.
For tomorrow, if you can check without the allow list or posting it here (or privately) as I think it could have something to do with the service not starting.

LayLow · April 7, 2024, 7:56pm

https://www.youtube.com/watch?v=1x0q1Gdiph0

transocean · April 8, 2024, 3:15pm

Hi @dnutan,

the allow list is empty. And the other settings are set to Disabled. And yet CrowdSec does not start after booting the machine.

Regards

Uwe

mrmarkuz · April 8, 2024, 3:27pm

Hm, it seems like a timing issue.

Crowdsec is going to be upgraded, at least there’s already a testing version 1.0.7-dev.4, maybe it’s better to wait for the release and use the “service restart workaround” in the meanwhile?

dnutan · April 8, 2024, 4:04pm

OK. I saw something about a whitelist and thought it could be from the allow list. My bad.

transocean · April 8, 2024, 4:20pm

Ok, i will do so.

transocean · April 10, 2024, 2:53pm

Ok,

update to the latest version was installed. But the problem is the same like before.

<7>cscli parsers install crowdsecurity/whitelists
Error: no container with name or ID “crowdsec1” found: no such container
Traceback (most recent call last):
File “/var/lib/nethserver/crowdsec1/actions/configure-module/30Enable_ban_onlocal_network”, line 12, in
agent.run_helper(“cscli”, “parsers”, action, “crowdsecurity/whitelists”).check_returncode()
File “/usr/lib64/python3.11/subprocess.py”, line 502, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command ‘(‘cscli’, ‘parsers’, ‘install’, ‘crowdsecurity/whitelists’)’ returned non-zero exit status 125.

transocean · April 10, 2024, 4:16pm

Removing and reinstalling does not bring me any improvement either. Same result…

LayLow · April 10, 2024, 4:18pm

I don’t know how the counter ‘n’ of the application is being crafted and noted (Redis?) Soehow I saw several miscounts with this number on several occasions in different posts.

Is there any way one could look at this counter or at the (Redis) database?

transocean · April 10, 2024, 4:21pm

Where can I do that?

mrmarkuz · April 10, 2024, 4:26pm

Let’s compare the instance name with the one used in cscli.

Check crowdsec instance name:

ls -d /var/lib/nethserver/crowdsec*

Check which instance name cscli is using:

grep crowdsec /usr/local/sbin/cscli

The instance names should be the same.

transocean · April 10, 2024, 6:20pm

ls -d /var/lib/nethserver/crowdsec*
Output: /var/lib/nethserver/crowdsec2

grep crowdsec /usr/local/sbin/cscli
Output: grep: /usr/local/sbin/cscli: No such file or directory

Doesn’t look like it’s the same to me.

mrmarkuz · April 10, 2024, 6:30pm

OK, let’s try the cscli command in the container:

podman exec -ti crowdsec2 cscli parsers install crowdsecurity/whitelists

transocean · April 10, 2024, 6:33pm

Markus, i think we have a problem.

Error: no container with name or ID “crowdsec2” found: no such container

mrmarkuz · April 10, 2024, 6:38pm

Let’s check which containers are there:

runagent -m crowdsec2 podman ps -a

transocean · April 10, 2024, 6:40pm

CONTAINER ID  IMAGE                             COMMAND               CREATED                     STATUS      PORTS       NAMES
c2d1a050cff5  ghcr.io/nethserver/restic:2.6.0   rclone serve webd...  2 hours ag               o  Up 2 hours              rclone-webdav
74bcf08f8592  ghcr.io/nethserver/redis:2.6.0    redis-server /dat...  2 hours ag               o  Up 2 hours              redis
e84d54b4ee48  docker.io/grafana/promtail:2.9.2  -config.file=/etc...  2 hours ag               o  Up 2 hours              promtail

mrmarkuz · April 10, 2024, 6:45pm

The crowdsec containers are missing. Please try to pull the container manually:

podman pull docker.io/crowdsecurity/crowdsec:v1.6.0-1-debian

transocean · April 10, 2024, 6:48pm

Trying to pull docker.io/crowdsecurity/crowdsec:v1.6.0-1-debian…
Getting image source signatures
Copying blob 2e65882c876d skipped: already exists
Copying blob 2f44b7a888fa skipped: already exists
Copying blob 4ff91224ce73 skipped: already exists
Copying blob 1b107b594649 skipped: already exists
Copying blob 0e04bce09ab0 skipped: already exists
Copying blob 2c9ae7da17b0 skipped: already exists
Copying blob b4f860bc435e skipped: already exists
Copying blob 0046624aa265 skipped: already exists
Copying blob fbcbe88e834f skipped: already exists
Copying blob 1ee8c8e42d56 skipped: already exists
Copying config c460cfe336 done
Writing manifest to image destination
c460cfe3361a1af59646e0647f5640dde739b55c4611648e59dd4c2fd2c647c6