Messages

Crowdsec is now stable so this issue is solved for the moment ^^

Well, after reading logs, it appears that the problem come from

Code Select Expand

/var/log/nginx/permanentban.access.log that is deleted/recreated to often and crowdsec seems to wait for it and ... finally the reader died for the nginx directory

I did add :

Code Select Expand

exclude_regexps:
  - permanentban*
in

Code Select Expand

/usr/local/etc/crowdsec/acquis.yaml
and it seems that crowdsec is now stable ... wait and see

works fine :) thanks ;)

Hi :)
I did install and run crowdsec since a while, did activate prometheus metrics and scrape them, then I didn't look at this so much
I did purchase enterprise plan, so, I did believe that subscribed block-lists prevented alerts to occur

After upgrading to 25.7 I did see some metrics (due to reboot of opnsense and crowdsec) then I did dive deeper in crowdsec
I looks like everything works fine for a moment then metrics show me that there is no more parsed line

I did check from

Code Select Expand

cscli parsers inspect crowdsecurity/nginx-logs and it looks like metrics are right, running the command multiple times doesn't show hits/parsed number increasing at all, and files <nginx>.access|error.log are still logging new lines

I don't know if this is relative to 25.7 or not because as said, I didn't look at crowdsec deep enough until few days

I can see some warnings like

Code Select Expand

level=warning msg="file reader died : Failed to detect creation of /var/log/nginx/permanentban.access.log: \"/var/log/nginx/latest.log\": open /var/log/nginx/latest.log: not a directory" tail=/var/log/nginx/permanentban.access.log type=filebut I did exclude /var/log/nginx/latest.log from config

Code Select Expand

:~ # cat /usr/local/etc/crowdsec/acquis.yaml
filenames:
  - /var/log/nginx/*.error.log
  - /var/log/nginx/*.access.log
#this is not a syslog log, indicate which kind of logs it is
labels:
  type: nginx
---
filenames:
 - /var/log/auth.log
 - /var/log/syslog
labels:
  type: syslog
---
filenames:
 - /var/log/httpd-access.log
 - /var/log/httpd-error.log
labels:
  type: apache2
So do someone can see crowdsec stop parsing nginx log files after some times (like one hour) ?

Did the upgrade 10 minutes too early ^^
Well the fix did the job, thanks

Hi, that is "expected" :D

I did find a post on the github project / issues that provides a patch for that and another one for nginx logs that show permission denied on write

Your status is the right one : Hero Member

Hi,

I was using dnsmasq as a tftp boot server, after update to 22.1, and going back to 21.7 and back again to 22.1 I've lost all my files and so on ... not the real problem

I'd like to set it up again but it seems that custom-options are not available anymore (I knew that, it was said in an previous update) and it seems that /usr/local/etc/dnsmasq.conf isn't read. (didn't try yet but all lines are commented out)

It seems that conf is read from the config file from opnsense and executed with arguments
e.g.

Code Select Expand

/usr/local/sbin/dnsmasq --rebind-localhost-ok --stop-dns-rebind -H /var/etc/dnsmasq-hosts --port=5353 ...

My concern is about how to "hack" and set custom values to dnsmasq.conf (or elsewhere) to set my tftp server on again ?

More places nobody reads proactively and complains about documentation quality when things went wrong. Yay! :)

you're rude, but this is real.

I've noticed changes about vlan and mac spoofing but advice was clear for me, mac spoofing only concern the interface where it was set ... in my case I leave it as is, this was an error

So now my issue is resolved, thanks to you, and doc is updated for being more complete, that's a good point !

Thanks again

Thanks a lot @Franco for the time you spent for us  ;)

Well, I don't understand everything as it become a bit technical...

The option I've choosen, as I'm writing through a 22.1 live os :

• enable wan interface, without any "IPv4-6 Configuration Type" (set to "none")
• enable Promiscuous mode on wan interface
• leave vlan interface with spoofed mac as is

let me know if you find my choice is fine or if you think I should have set the same mac on wan and vlan

If I add this mac address to the VLAN parent interface as well I get an IP address and all is working well.

Is that how it should work ? What if you have another vlan with spoofed mac with the same parent ?

English is not my native language so I'm not sure about this point.

The wan (em1) interface is disabled on 21.7 and have no mac spoofing in its conf
The vlan100 which parent is em1/wan (em1_vlan100) use the spoofed mac address in its config (Mac adress : This field can be used to spoof the MAC address of the interface. Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx or leave blank if unsure. This may only be required e.g. with certain cable connections on a WAN interface.)

[edit] The mac address sent by dhclient is the good one, see it in the .cap file

Hi,
So, I did it, and that didn't work but I have a clue !

you won't believe this. turned on capture. re saved WAN. now its shows an IP

Like Nivek, I turned on capture in promiscuous mode and I get an IP !

I was working with the live OS and the new dhclient from 22.1 (not the one you ask me to download)

nemric: in your case the discover is never answered. have you had your VLAN parent assigned and enabled? it looks like the outgoing package is never received by the other end.

::) vlan is assigned to a parent but as I don't need it the parent is disabled, that's my 21.7 config