search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.1k stars 419 forks source link

unable to start crowdsec routines: authenticate watcher () - panic: runtime error #3088

Closed dtouzeau closed 1 week ago

dtouzeau commented 1 week ago

What happened?

Migrating from 1.5 to 1.6 got

time="2024-06-17T17:38:18+02:00" level=fatal msg="unable to start crowdsec routines: authenticate watcher (): Post \"http://127.0.0.1:8080/v1/watchers/login\": performing jwt auth: dial tcp 127.0.0.1:8080: connect: connection refused"

version: v1.6.2-16bfab86 Codename: alphaga BuildDate: 2024-05-31_08:29:22 GoVersion: 1.22.3 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.2-16bfab86-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0

Run in trace mode gives 

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x8af1b1]

goroutine 13 [running]:
net/http/httputil.DumpResponse(0x0, 0x1)
        net/http/httputil/dump.go:308 +0x31
github.com/crowdsecurity/crowdsec/pkg/apiclient.(*JWTTransport).RoundTrip(0xc0008992c0, 0xc0010b2120)
        github.com/crowdsecurity/crowdsec/pkg/apiclient/auth_jwt.go:189 +0x19f
net/http.send(0xc0010b2120, {0x2888b60, 0xc0008992c0}, {0xc000aeb701?, 0xc000aeb800?, 0x0?})
        net/http/client.go:259 +0x5e4
net/http.(*Client).send(0xc0008f6630, 0xc0010b2120, {0xc0008f7f80?, 0x10?, 0x0?})
        net/http/client.go:180 +0x98
net/http.(*Client).do(0xc0008f6630, 0xc0010b2120)
        net/http/client.go:724 +0x8dc
net/http.(*Client).Do(...)
        net/http/client.go:590
github.com/crowdsecurity/crowdsec/pkg/apiclient.(*ApiClient).Do(0xc000904680, {0x28a0b88, 0x39941c0}, 0xc0010b2000, {0x1f462a0, 0xc0008f6780})
        github.com/crowdsecurity/crowdsec/pkg/apiclient/client_http.go:68 +0x317
github.com/crowdsecurity/crowdsec/pkg/apiclient.(*AuthService).AuthenticateWatcher(0xc000904688, {0x28a0b88, 0x39941c0}, {0xc000f56410, 0xc000c84ce0, {0xc000939b88, 0x28, 0x28}})
        github.com/crowdsecurity/crowdsec/pkg/apiclient/auth_service.go:65 +0x19b
main.AuthenticatedLAPIClient({{0x0, 0x0}, {0xc000047a40, 0x16}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, ...}, ...)
        github.com/crowdsecurity/crowdsec/cmd/crowdsec/lapiclient.go:73 +0x87c
main.runCrowdsec(0xc00033d420, 0xc000d04480, 0xc000834200, {0x0?, 0x0?, 0x0?})
        github.com/crowdsecurity/crowdsec/cmd/crowdsec/crowdsec.go:126 +0x225
main.Serve.serveCrowdsec.func1.1()
        github.com/crowdsecurity/crowdsec/cmd/crowdsec/crowdsec.go:188 +0x108
created by main.Serve.serveCrowdsec.func1 in goroutine 10
        github.com/crowdsecurity/crowdsec/cmd/crowdsec/crowdsec.go:182 +0x11c

What did you expect to happen?

None

How can we reproduce it (as minimally and precisely as possible)?

Something wrong in config between 1.5 to 1.6

Anything else we need to know?

No response

Crowdsec version

```console /usr/local/sbin/cscli version version: v1.6.2-16bfab86 Codename: alphaga BuildDate: 2024-05-31_08:29:58 GoVersion: 1.22.3 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.2-16bfab86-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release # paste output here $ uname -a # paste output here # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

Enabled collections and parsers

```console $ cscli hub list -o raw # paste output here ```

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* filenames: - /var/log/nginx/crowdsec.log labels: type: nginx --- filenames: - /var/log/auth.log - /var/log/sshd.log - /var/log/syslog labels: type: syslog --- filename: /var/log/apache2/*.log labels: type: apache2 --- filenames: - /var/log/artica-webauth.log labels: type: articalogoncat: '/etc/crowdsec/acquis.d/*': No such file or directory

Config show

```console Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/crowdsec - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : API Client: - URL : http://127.0.0.1:8080/ - Login : - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 127.0.0.1:8808 - Listen Socket : - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /home/artica/SQLITE/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console $ cscli metrics # paste output here ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 1 week ago

@dtouzeau: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
blotus commented 1 week ago

Hello,

Looking at the stacktrace and the code, it seems this crash can only happen when running with log_level: trace and an error occurred when trying to establish the connection to LAPI.

Can you set log_level to either info or debug and try again ? The stacktrace is misleading, and LAPI has not started for another reason (look for any error logs in /var/log/crowdsec.log).

You can also comment the entire crowdsec_service section in /etc/crowdsec/config.yaml to disable the log processor, that way any LAPI-related error should be easier to see.

dtouzeau commented 1 week ago

Got this relevant logs:

time="2024-06-17T18:57:20+02:00" level=debug msg="non-empty acquisition_path /etc/crowdsec/acquis.yaml"
time="2024-06-17T18:57:20+02:00" level=warning msg="can't load CAPI credentials from '/etc/crowdsec/online_api_credentials.yaml' (missing login field)"
time="2024-06-17T18:57:20+02:00" level=info msg="push and pull to Central API disabled"
time="2024-06-17T18:57:20+02:00" level=debug msg="no console_management found, setting to false"
time="2024-06-17T18:57:20+02:00" level=debug msg="Console configuration '/etc/crowdsec/console.yaml' loaded successfully"
time="2024-06-17T18:57:20+02:00" level=info msg="Enabled feature flags: <none>"
time="2024-06-17T18:57:20+02:00" level=info msg="Crowdsec v1.6.2-16bfab86"
time="2024-06-17T18:57:20+02:00" level=info msg="Loading prometheus collectors"
time="2024-06-17T18:57:20+02:00" level=warning msg="Communication with CrowdSec Central API disabled from configuration file"
time="2024-06-17T18:57:20+02:00" level=info msg="push and pull to Central API disabled"
time="2024-06-17T18:57:20+02:00" level=debug msg="starting FlushAgentsAndBouncers"
time="2024-06-17T18:57:20+02:00" level=debug msg="starting router, logging to /var/log/crowdsec/crowdsec_api.log"
time="2024-06-17T18:57:20+02:00" level=debug msg="serving API after 53.091421ms ms"
time="2024-06-17T18:57:20+02:00" level=debug msg="loading hub idx /etc/crowdsec/hub/.index.json"
time="2024-06-17T18:57:20+02:00" level=info msg="CrowdSec Local API listening on 127.0.0.1:8808"
time="2024-06-17T18:57:20+02:00" level=debug msg="7 item types in hub index"
time="2024-06-17T18:57:20+02:00" level=debug msg="installed (crowdsecurity/http-cve) - status: 1 | installed: 2.1 | latest: 2.6 | full: map[0.1:{Digest:30748e051a470c1bc91506ae63e8784cd054564f90ccc23eb655823fc30e3019 Deprecated:false} 0.2:{Digest:bc244c864674e59cd36ec4781bb85b5f94f77562a28a65e6bb64da789cf97379 Deprecated:false} 0.3:{Digest:8a33f5787f19100add139f53ae98978a2c265badaf99b09365a47d686baeb5b2 Deprecated:false} 0.4:{Digest:f5a38fc37ff6a5aa80a1411fe75ba27d9691ebf3da96b6d169d2fecc052fb528 Deprecated:false} 0.5:{Digest:f9be2b19b2c12d4b0d4fc10de95b3138c4ae19ccaa04975d1e6a242e1fc2abf4 Deprecated:false} 0.6:{Digest:d385131b7c0763a6fe71d6544599e69d79e6ff97c92b2b253470b9b1632bb71a Deprecated:false} 0.7:{Digest:33d997a205be7dad55f5fadb1b56da3cd7a22b6333037af83132a948a6cc063f Deprecated:false} 0.8:{Digest:9a6f6b6afb19f4ecafa4cb195d96c3380d9f2b5621424a1ee296ae34dc29f814 Deprecated:false} 0.9:{Digest:ff8e1e8b942d229cbe6de261b864fef4052b3c83018fe389b5441bd62c824d38 Deprecated:false} 1.0:{Digest:c10453ceeb22dcdf11fa386fe072c9aa6ede4a76e7cc9940caa429d8ec8814d5 Deprecated:false} 1.1:{Digest:d211c127d1295986dd11c1502295e538943baafcb04bab094b792f85531376f9 Deprecated:false} 1.2:{Digest:e1a9c0a6a058d043717ce66c649f632161d9ea788a77c9ce92ad50ab231c920c Deprecated:false} 1.3:{Digest:537a00505f86acb335d66130e9e3d1cc867d99a26fe7d3a66904eb3ec57c3f43 Deprecated:false} 1.4:{Digest:e07c151e8686c9cf5ba5f5cb1513c8edeb1e4d6ee6a3672a835a0441c3cfcff7 Deprecated:false} 1.5:{Digest:97e3a10706edfa4ccb637673705d133e24ec8601f7199c7fd5884bd673778506 Deprecated:false} 1.6:{Digest:f38f6f62c92971e1537992406128a5438962f8bea6b9fdd9d8eacd5fd5cb6485 Deprecated:false} 1.7:{Digest:f7d7eb0b2c5257e689397ff696e85a56640f0819ef4695c47119927aefbf8c79 Deprecated:false} 1.8:{Digest:a00340eb67ac16be546794135dd64ee2ae1709989d1d31ae7633de771bcec529 Deprecated:false} 1.9:{Digest:74c4696ca67d82e18dd6188f8934699f0c3b10e8ccde318d9de2a6ca9c40f31c Deprecated:false} 2.0:{Digest:282fb0e5941d39b850f3199498fe282c69293c7f29892c80e16d28e4c452608d Deprecated:false} 2.1:{Digest:bf083cddb42468da403bdcba02efc6e287ef640512a0442f7b180dc091e1fb44 Deprecated:false} 2.2:{Digest:a80217f6b47bfb101bad21a25666123b1f940d1dcd31e1e1e320b6213fa9f4b0 Deprecated:false} 2.3:{Digest:00e148cb998efbf5668391f2971ec39ee3c2bcc8e0e6c952fe436709678abf72 Deprecated:false} 2.4:{Digest:9a1288c042d53f81c16653efae7084bbb83e56cec8a6eade98c702e2febb8d4e Deprecated:false} 2.5:{Digest:c6c395c6d6d694ecfb8957e93bd8895a8c341511d070486cbd768056a323994d Deprecated:false} 2.6:{Digest:dd2e8debbba19d19646b9a8010baf9bd901a4eec84a53a0cb62294b8da3e91ef Deprecated:false}]"
time="2024-06-17T18:57:20+02:00" level=debug msg="crowdsecurity/sshd dependencies not checked: not up-to-date"
time="2024-06-17T18:57:20+02:00" level=debug msg="installed (crowdsecurity/linux) - status: 0 | installed: 0.2 | latest: 0.2 | full: map[0.1:{Digest:8d16483218a979b84549fb020b0342feea3d1f4951294b6994d33a9b7214842f Deprecated:false} 0.2:{Digest:baaa37b12b4d734fab81ae01ff81c58ceb7a99304f21e6bb6ff86b871ed6d5eb Deprecated:false}]"
time="2024-06-17T18:57:20+02:00" level=debug msg="crowdsecurity/base-http-scenarios dependencies not checked: not up-to-date"
time="2024-06-17T18:57:20+02:00" level=debug msg="installed (crowdsecurity/nginx) - status: 0 | installed: 0.2 | latest: 0.2 | full: map[0.1:{Digest:5ef06c9a84fbea5b01d901a6a23d5de8de811da5036e5ec4f6a8d00fb096805b Deprecated:false} 0.2:{Digest:334f7e5626a83c576af2dec1360b760991d09b6f418590a174748a4ca00bd1e4 Deprecated:false}]"
time="2024-06-17T18:57:20+02:00" level=debug msg="installed (crowdsecurity/base-http-scenarios) - status: 1 | installed: 0.6 | latest: 1.0 | full: map[0.1:{Digest:7ee043a9d2e063cad751e6ce5d048f02518a76d39ec81aebed3bae736b0ced9e Deprecated:false} 0.2:{Digest:affdb706e66ffd924086b24e94734589672fb531f80fe366ab06a8c3228962e2 Deprecated:false} 0.3:{Digest:543df5abb020afb51f3ab9d83cdc031e95572983e72f32a59b9f6f75cac990c3 Deprecated:false} 0.4:{Digest:15018789eeb01f907fad18a16a1bfd3dc4be972455b22b86c73fd95ef334a072 Deprecated:false} 0.5:{Digest:98c63493ca04367acd2d889d54141f9bcf22573301b161d6d268ca053159e94e Deprecated:false} 0.6:{Digest:2d70781df8c630d36e5f4800bde77dd7e130481e9c658aa0b3aae7ae95e15271 Deprecated:false} 0.7:{Digest:539db14da32a19da683fcfd9c0c92263be5b463e037a3ce35851039c8b512f08 Deprecated:false} 0.8:{Digest:dd439becb69e8457354287d0d978476e15e256bc9c4c7143fa4b9981770bf311 Deprecated:false} 0.9:{Digest:a8b3855c42316452d5133deb76e2fc6acafa7a1dd02c6ae59fab5369595a2911 Deprecated:false} 1.0:{Digest:b0c860f48e5d24ba5e278523e5b1652ae370228eaadcc809db1f5b3463c8ce46 Deprecated:false}]"
time="2024-06-17T18:57:20+02:00" level=debug msg="installed (crowdsecurity/sshd) - status: 1 | installed: 0.2 | latest: 0.3 | full: map[0.1:{Digest:21159aeb87529efcf1a5033f720413d5321a6451bab679a999f7f01a7aa972b3 Deprecated:false} 0.2:{Digest:72f6329808fafbb42da52cc6476a6e794d0a1ae5b3847e0060cf23593dd40352 Deprecated:false} 0.3:{Digest:31d549124634df1d13e67f0903b10c1816690589f4d6add6fec0ed74d30499bb Deprecated:false}]"
time="2024-06-17T18:57:20+02:00" level=debug msg="console context to send: {}"
time="2024-06-17T18:57:20+02:00" level=info msg="Loading grok library /etc/crowdsec/patterns"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loaded 24 pattern files"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loaded 24 pattern files"
time="2024-06-17T18:57:21+02:00" level=info msg="Loading enrich plugins"
time="2024-06-17T18:57:21+02:00" level=info msg="Successfully registered enricher 'GeoIpCity'"
time="2024-06-17T18:57:21+02:00" level=info msg="Successfully registered enricher 'GeoIpASN'"
time="2024-06-17T18:57:21+02:00" level=info msg="Successfully registered enricher 'IpToRange'"
time="2024-06-17T18:57:21+02:00" level=info msg="Successfully registered enricher 'reverse_dns'"
time="2024-06-17T18:57:21+02:00" level=info msg="Successfully registered enricher 'ParseDate'"
time="2024-06-17T18:57:21+02:00" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
time="2024-06-17T18:57:21+02:00" level=info msg="Loading parsers from 7 files"
time="2024-06-17T18:57:21+02:00" level=debug msg="loading parser file '{/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml s00-raw}'"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 2 parser nodes" file=/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
time="2024-06-17T18:57:21+02:00" level=debug msg="loading parser file '{/etc/crowdsec/parsers/s01-parse/articalogon.yaml s01-parse}'"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/articalogon.yaml stage=s01-parse
time="2024-06-17T18:57:21+02:00" level=debug msg="loading parser file '{/etc/crowdsec/parsers/s01-parse/nginx-logs.yaml s01-parse}'"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/nginx-logs.yaml stage=s01-parse
time="2024-06-17T18:57:21+02:00" level=debug msg="loading parser file '{/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml s01-parse}'"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="2024-06-17T18:57:21+02:00" level=debug msg="loading parser file '{/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml s02-enrich}'"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
time="2024-06-17T18:57:21+02:00" level=debug msg="loading parser file '{/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml s02-enrich}'"
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:GeoLite2-City.mmdb) (type:)"
time="2024-06-17T18:57:21+02:00" level=debug msg="ignored file /var/lib/crowdsec/dataGeoLite2-City.mmdb because no type specified"
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:GeoLite2-ASN.mmdb) (type:)"
time="2024-06-17T18:57:21+02:00" level=debug msg="ignored file /var/lib/crowdsec/dataGeoLite2-ASN.mmdb because no type specified"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
time="2024-06-17T18:57:21+02:00" level=debug msg="loading parser file '{/etc/crowdsec/parsers/s02-enrich/http-logs.yaml s02-enrich}'"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/http-logs.yaml stage=s02-enrich
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 8 nodes from 3 stages"
time="2024-06-17T18:57:21+02:00" level=info msg="No postoverflow parsers to load"
time="2024-06-17T18:57:21+02:00" level=info msg="Loading 40 scenario files"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=wild-feather name=crowdsecurity/thinkphp-cve-2018-20062
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:thinkphp_cve_2018-20062.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/artica-nginx444.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=frosty-frog name=artica/nginx-444
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-xss-probing.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=red-wildflower name=crowdsecurity/http-xss-probbing
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:xss_probe_patterns.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=crimson-dust name=crowdsecurity/vmware-vcenter-vmsa-2021-0027
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-sensitive-files.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=solitary-breeze name=crowdsecurity/http-sensitive-files
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:sensitive_data.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-cve-2021-42013.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=bitter-breeze name=crowdsecurity/http-cve-2021-42013
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/ssh-slow-bf.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=dark-bird name=crowdsecurity/ssh-slow-bf
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=small-violet name=crowdsecurity/ssh-slow-bf_user-enum
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-generic-bf.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=muddy-leaf name=crowdsecurity/http-generic-bf
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=patient-brook name=LePresidente/http-generic-401-bf
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=still-night name=LePresidente/http-generic-403-bf
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=quiet-waterfall name=crowdsecurity/fortinet-cve-2018-13379
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-w00tw00t.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=small-smoke name=ltsich/http-w00tw00t
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-sqli-probing.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=winter-moon name=crowdsecurity/http-sqli-probbing-detection
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:sqli_probe_patterns.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-crawl-non_statics.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=polished-moon name=crowdsecurity/http-crawl-non_statics
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-cve-2021-41773.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=billowing-butterfly name=crowdsecurity/http-cve-2021-41773
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-open-proxy.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=misty-darkness name=crowdsecurity/http-open-proxy
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-41697.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=twilight-sky name=crowdsecurity/CVE-2022-41697
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=sparkling-meadow name=crowdsecurity/iptables-scan-multi_ports
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=billowing-wind name=crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=red-star name=crowdsecurity/spring4shell_cve-2022-22965
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-37042.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=polished-paper name=crowdsecurity/CVE-2022-37042
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2019-18935.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=quiet-sun name=crowdsecurity/CVE-2019-18935
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-26134.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=red-darkness name=crowdsecurity/CVE-2022-26134
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=twilight-feather name=crowdsecurity/f5-big-ip-cve-2020-5902
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-path-traversal-probing.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=nameless-leaf name=crowdsecurity/http-path-traversal-probing
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:http_path_traversal.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/jira_cve-2021-26086.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=dry-violet name=crowdsecurity/jira_cve-2021-26086
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:jira_cve_2021-26086.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/nginx-req-limit-exceeded.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=shy-meadow name=crowdsecurity/nginx-req-limit-exceeded
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-41082.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=dark-waterfall name=crowdsecurity/CVE-2022-41082
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=misty-pond name=crowdsecurity/apache_log4j2_cve-2021-44228
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:log4j2_cve_2021_44228.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/netgear_rce.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=cool-hill name=crowdsecurity/netgear_rce
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-bad-user-agent.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=divine-resonance name=crowdsecurity/http-bad-user-agent
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:bad_user_agents.regex.txt) (type:regexp)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-35914.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=misty-grass name=crowdsecurity/CVE-2022-35914
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-backdoors-attempts.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=floral-darkness name=crowdsecurity/http-backdoors-attempts
time="2024-06-17T18:57:21+02:00" level=debug msg="init (folder:/var/lib/crowdsec/data) (file:backdoors.txt) (type:string)"
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-46169.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=broken-haze name=crowdsecurity/CVE-2022-46169-bf
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=proud-glade name=crowdsecurity/CVE-2022-46169-cmd
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/articalogon-bf.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=wandering-darkness name=articatech/articalogon-bf
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-44877.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=blue-shadow name=crowdsecurity/CVE-2022-44877
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/ssh-bf.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=divine-shadow name=crowdsecurity/ssh-bf
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=white-resonance name=crowdsecurity/ssh-bf_user-enum
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-40684.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=summer-dew name=crowdsecurity/fortinet-cve-2022-40684
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/CVE-2022-42889.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=weathered-water name=crowdsecurity/CVE-2022-42889
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/http-probing.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding leaky bucket" cfg=still-wind name=crowdsecurity/http-probing
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=polished-breeze name=crowdsecurity/vmware-cve-2022-22954
time="2024-06-17T18:57:21+02:00" level=debug msg="Loading '/etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml'"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding trigger bucket" cfg=lively-sound name=crowdsecurity/grafana-cve-2021-43798
time="2024-06-17T18:57:21+02:00" level=debug msg="No console context value length provided, using default: 4000"
time="2024-06-17T18:57:21+02:00" level=info msg="Loaded 45 scenarios"
time="2024-06-17T18:57:21+02:00" level=debug msg="No appsec rules found"
time="2024-06-17T18:57:21+02:00" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
time="2024-06-17T18:57:21+02:00" level=info msg="Adding file /var/log/nginx/crowdsec.log to datasources" type=file
time="2024-06-17T18:57:21+02:00" level=info msg="Adding file /var/log/auth.log to datasources" type=file
time="2024-06-17T18:57:21+02:00" level=info msg="Adding file /var/log/sshd.log to datasources" type=file
time="2024-06-17T18:57:21+02:00" level=info msg="Adding file /var/log/syslog to datasources" type=file
time="2024-06-17T18:57:21+02:00" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file
time="2024-06-17T18:57:21+02:00" level=info msg="Adding file /var/log/artica-webauth.log to datasources" type=file
time="2024-06-17T18:57:21+02:00" level=debug msg="running agent after 1.006093287s ms"
time="2024-06-17T18:57:21+02:00" level=debug msg="[URL] POST http://127.0.0.1:8080/v1/watchers/login"
time="2024-06-17T18:57:21+02:00" level=debug msg="resetting jwt token"
time="2024-06-17T18:57:21+02:00" level=fatal msg="unable to start crowdsec routines: authenticate watcher (): Post \"http://127.0.0.1:8080/v1/watchers/login\": performing jwt auth: dial tcp 127.0.0.1:8080: connect: connection refused"

the /etc/crowdsec/local_api_credentials.yaml just mention the url and not the login and password field.

The command /usr/local/sbin/cscli machines add --auto failed in this way and can be fixed it using /usr/local/sbin/cscli machines add --auto --force

the v1.5 worked with an empty field...

Fixed for me