No alerts in latest Crowdsec

Started by FullyBorked, June 01, 2023, 08:27:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 01, 2023, 08:27:44 PM
I was noticing I'm no longer seeing alerts in Crowdsec.  Anyone else noticing this after the latest update? 

I found a reddit thread with the same issue was just curious how wide spread this might be or if anyone knew why it might be happening. 

https://www.reddit.com/r/CrowdSec/comments/13xd7xf/no_decisions_or_alerts_in_5_days/
June 01, 2023, 09:31:39 PM #1
Works normally for me.
June 02, 2023, 11:27:03 AM #2 Last Edit: June 02, 2023, 11:37:06 AM by mmetc
Hi!

Unfortunately, there is a one-line change required to have crowdsec 1.5+ pick up logs in opnsense. The release was tested with regular files but not symlinks.

You may not notice if you have additional scenarios and agents that don't acquire logs from symlinks, which is why for some people it's working.

The change is in /usr/local/etc/crowdsec/acquis.d/opnsense.yaml, just after force_inotify: true:

poll_without_inotify: true

followed by "# service crowdsec reload" or restart from the GUI

The fix has been merged in version 1.0.6 of the plugin.
June 02, 2023, 11:48:15 AM #3
Anyone who requires it can install the patch https://github.com/opnsense/plugins/commit/b465377760 via:

# opnsense-patch -c plugins b465377760

(restarting crowdsec binary to pick up the configuration may be required)


Cheers,
Franco
June 02, 2023, 02:44:55 PM #4
Thanks for the quick patch.   8)
June 02, 2023, 02:50:57 PM #5
Pro tip: if you manually edited the opnsense.yaml file the patch provided by franco will duplicate the line you manually added and the service will fail to start.   ;D   
June 04, 2023, 02:59:19 PM #6
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!
June 04, 2023, 03:02:12 PM #7
Quote from: wbennett on June 04, 2023, 02:59:19 PM
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!

You'll need to SSH into your OPNsense box, press 8, then simply copy and paste(or type)
Code Select
opnsense-patch -c plugins b465377760 into your SSH session.  Then restart the crowdsec service. 
June 04, 2023, 03:08:22 PM #8
Quote from: FullyBorked on June 04, 2023, 03:02:12 PM
Quote from: wbennett on June 04, 2023, 02:59:19 PM
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!

You'll need to SSH into your OPNsense box, press 8, then simply copy and paste(or type)
Code Select
opnsense-patch -c plugins b465377760 into your SSH session.  Then restart the crowdsec service.
Worked, thanks!
June 04, 2023, 03:13:59 PM #9
Quote from: wbennett on June 04, 2023, 03:08:22 PM
Quote from: FullyBorked on June 04, 2023, 03:02:12 PM
Quote from: wbennett on June 04, 2023, 02:59:19 PM
Quote from: FullyBorked on June 02, 2023, 02:44:55 PM
Thanks for the quick patch.   8)
Opnsense newbie here. How would I go about applying this patch? Thx!

You'll need to SSH into your OPNsense box, press 8, then simply copy and paste(or type)
Code Select
opnsense-patch -c plugins b465377760 into your SSH session.  Then restart the crowdsec service.
Worked, thanks!

Excellent, you're welcome.   8)
June 06, 2023, 05:44:21 PM #10 Last Edit: June 06, 2023, 06:40:21 PM by wbennett
Ran a Health audit and it shows checksum mismatches for os-crowdsec 1.0.5. Was this caused by the patch and will it clear itself on the next update? Also, if I am not running Zenarmour do I still need elasticsearch installed?

Thanks!

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.1.9 at Tue Jun  6 12:30:45 ADT 2023
>>> Check installed kernel version
Version 23.1.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.1.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-crowdsec 1.0.5
os-theme-rebellion 1.8.8
os-wireguard-go 1.13_5
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .
elasticsearch5-5.6.16_8: checksum mismatch for /usr/local/lib/elasticsearch/config/jvm.options
Checking all packages.......
os-crowdsec-1.0.5: checksum mismatch for /usr/local/etc/crowdsec/acquis.d/opnsense.yaml
os-crowdsec-1.0.5: checksum mismatch for /usr/local/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
os-crowdsec-1.0.5: checksum mismatch for /usr/local/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
Checking all packages........ done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: ................................................................... done
***DONE***
June 07, 2023, 09:03:41 AM #11
Yes. If you open the patch you can see these files are being modified ;)

https://github.com/opnsense/plugins/commit/b465377760
Print
Go Up Pages1
User actions