Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: FullyBorked on June 01, 2023, 08:27:44 PM

Title: No alerts in latest Crowdsec
Post by: FullyBorked on June 01, 2023, 08:27:44 PM
I was noticing I'm no longer seeing alerts in Crowdsec.  Anyone else noticing this after the latest update? 

I found a reddit thread with the same issue was just curious how wide spread this might be or if anyone knew why it might be happening. 

https://www.reddit.com/r/CrowdSec/comments/13xd7xf/no_decisions_or_alerts_in_5_days/
Title: Re: No alerts in latest Crowdsec
Post by: gstyle on June 01, 2023, 09:31:39 PM
Works normally for me.
Title: Re: No alerts in latest Crowdsec
Post by: mmetc on June 02, 2023, 11:27:03 AM
Hi!

Unfortunately, there is a one-line change required to have crowdsec 1.5+ pick up logs in opnsense. The release was tested with regular files but not symlinks.

You may not notice if you have additional scenarios and agents that don't acquire logs from symlinks, which is why for some people it's working.

The change is in /usr/local/etc/crowdsec/acquis.d/opnsense.yaml, just after force_inotify: true:

poll_without_inotify: true

followed by "# service crowdsec reload" or restart from the GUI

The fix has been merged in version 1.0.6 of the plugin.
Title: Re: No alerts in latest Crowdsec
Post by: franco on June 02, 2023, 11:48:15 AM
Anyone who requires it can install the patch https://github.com/opnsense/plugins/commit/b465377760 via:

# opnsense-patch -c plugins b465377760

(restarting crowdsec binary to pick up the configuration may be required)


Cheers,
Franco
Title: Re: No alerts in latest Crowdsec
Post by: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Title: Re: No alerts in latest Crowdsec
Post by: FullyBorked on June 02, 2023, 02:50:57 PM
Pro tip: if you manually edited the opnsense.yaml file the patch provided by franco will duplicate the line you manually added and the service will fail to start.   ;D   
Title: Re: No alerts in latest Crowdsec
Post by: wbennett on June 04, 2023, 02:59:19 PM
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!
Title: Re: No alerts in latest Crowdsec
Post by: FullyBorked on June 04, 2023, 03:02:12 PM
Quote from: wbennett on June 04, 2023, 02:59:19 PM
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!

You'll need to SSH into your OPNsense box, press 8, then simply copy and paste(or type)
Code Select
opnsense-patch -c plugins b465377760 into your SSH session.  Then restart the crowdsec service. 
Title: Re: No alerts in latest Crowdsec
Post by: wbennett on June 04, 2023, 03:08:22 PM
Quote from: FullyBorked on June 04, 2023, 03:02:12 PM
Quote from: wbennett on June 04, 2023, 02:59:19 PM
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!

You'll need to SSH into your OPNsense box, press 8, then simply copy and paste(or type)
Code Select
opnsense-patch -c plugins b465377760 into your SSH session.  Then restart the crowdsec service.
Worked, thanks!
Title: Re: No alerts in latest Crowdsec
Post by: FullyBorked on June 04, 2023, 03:13:59 PM
Quote from: wbennett on June 04, 2023, 03:08:22 PM
Quote from: FullyBorked on June 04, 2023, 03:02:12 PM
Quote from: wbennett on June 04, 2023, 02:59:19 PM
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!

You'll need to SSH into your OPNsense box, press 8, then simply copy and paste(or type)
Code Select
opnsense-patch -c plugins b465377760 into your SSH session.  Then restart the crowdsec service.
Worked, thanks!

Excellent, you're welcome.   8)
Title: Re: No alerts in latest Crowdsec
Post by: wbennett on June 06, 2023, 05:44:21 PM
Ran a Health audit and it shows checksum mismatches for os-crowdsec 1.0.5. Was this caused by the patch and will it clear itself on the next update? Also, if I am not running Zenarmour do I still need elasticsearch installed?

Thanks!

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.1.9 at Tue Jun  6 12:30:45 ADT 2023
>>> Check installed kernel version
Version 23.1.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.1.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-crowdsec 1.0.5
os-theme-rebellion 1.8.8
os-wireguard-go 1.13_5
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .
elasticsearch5-5.6.16_8: checksum mismatch for /usr/local/lib/elasticsearch/config/jvm.options
Checking all packages.......
os-crowdsec-1.0.5: checksum mismatch for /usr/local/etc/crowdsec/acquis.d/opnsense.yaml
os-crowdsec-1.0.5: checksum mismatch for /usr/local/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
os-crowdsec-1.0.5: checksum mismatch for /usr/local/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
Checking all packages........ done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: ................................................................... done
***DONE***
Title: Re: No alerts in latest Crowdsec
Post by: franco on June 07, 2023, 09:03:41 AM
Yes. If you open the patch you can see these files are being modified ;)

https://github.com/opnsense/plugins/commit/b465377760
Text only | Text with Images