Debian - Parser upgrade doesn't work

What happened?

The parser crowdsecurity/dovecot-logs contains a bug in version 0.6 which was fixed in 0.8

CrowdSec is on Debian 12 using the Debian packages.

I tried to upgrade the parser with the following command but it doesn't work, it stays at version 0.6

# cscli parsers upgrade crowdsecurity/dovecot-logs --force
INFO[23-07-2024 00:16:00] crowdsecurity/dovecot-logs : up-to-date
WARN[23-07-2024 00:16:00] crowdsecurity/dovecot-logs : overwrite
updated crowdsecurity/dovecot-logs
INFO[23-07-2024 00:16:00] 📦 crowdsecurity/dovecot-logs : updated
INFO[23-07-2024 00:16:00] Upgraded 1 items
INFO[23-07-2024 00:16:00] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.

# cscli parsers list
PARSERS
───────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                             📦 Status   Version   Local Path
───────────────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/apache2-logs       ✔️ enabled   1.3       /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
 crowdsecurity/dateparse-enrich   ✔️ enabled   0.2       /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
 crowdsecurity/dovecot-logs       ✔️ enabled   0.6       /etc/crowdsec/parsers/s01-parse/dovecot-logs.yaml
 crowdsecurity/http-logs          ✔️ enabled   1.1       /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
 crowdsecurity/nginx-logs         ✔️ enabled   1.3       /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
 crowdsecurity/postfix-logs       ✔️ enabled   0.4       /etc/crowdsec/parsers/s01-parse/postfix-logs.yaml
 crowdsecurity/postscreen-logs    ✔️ enabled   0.2       /etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml
 crowdsecurity/sshd-logs          ✔️ enabled   2.0       /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
 crowdsecurity/syslog-logs        ✔️ enabled   0.8       /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
 crowdsecurity/whitelists         ✔️ enabled   0.2       /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
───────────────────────────────────────────────────────────────────────────────────────────────────────────────

What did you expect to happen?

That the parser crowdsecurity/dovecot-logs gets upgraded to version 0.8

How can we reproduce it (as minimally and precisely as possible)?

Install on Debian 12
cscli parsers install crowdsecurity/dovecot-logs
cscli parsers upgrade crowdsecurity/dovecot-logs --force

Crowdsec version

```console $ cscli version 2024/07/23 00:26:06 version: v1.4.6-6~deb12u1-debian 2024/07/23 00:26:06 Codename: alphaga 2024/07/23 00:26:06 BuildDate: 2023-07-15_09:29:33 2024/07/23 00:26:06 GoVersion: 1.19.8 2024/07/23 00:26:06 Platform: linux 2024/07/23 00:26:06 Constraint_parser: >= 1.0, <= 2.0 2024/07/23 00:26:06 Constraint_scenario: >= 1.0, < 3.0 2024/07/23 00:26:06 Constraint_api: v1 2024/07/23 00:26:06 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" $ uname -a Linux s1 6.1.0-23-arm64 #1 SMP Debian 6.1.99-1 (2024-07-15) aarch64 GNU/Linux ```

@d0m84: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

Check Crowdsec Documentation to see if your issue can be self resolved.
You can also join our Discord.
Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.

crowdsecurity/dovecot-logs       ✔️ enabled   0.6       /etc/crowdsec/parsers/s01-parse/dovecot-logs.yaml

Wrong answer in details:

Can you provide your `/etc/crowdsec/config.yaml` and run `ls -la /etc/crowdsec/parsers/s01-parse/` The specific thing we want to see in `/etc/crowdsec/config.yaml` is this: ```yaml config_paths: hub_dir: /etc/crowdsec/hub/ ``` Most likely the issue is the hub_dir is set to above and the parsers in `/etc/crowdsec/parsers/s01-parse/` are symlinked to wrong directory because you might have installed the debian repo version first and then you overrided it with our package version. (which stores the parsers in different directories since debian tries to use it own directory structure hierarchy when it comes to "user" files) To fix this you can simply run this bash script https://gist.github.com/LaurenceJJones/6960107296145e8e365009973b9d7f6d

If the above is not the case, check which version you are on cscli version if its not 1.6.2 then that is the reason why, you need to be on the latest versions to be able to get some updates.

Edit: Yes I can see from crowdsec version you are on v1.4.6-6~deb12u1-debian which is 2 minor versions out of date. We recommend to us our package repository https://docs.crowdsec.net/u/getting_started/installation/linux as the debian repository version will not be getting updates moving forward.

Edit Edit: Checking the hub versioning you must be at least version 1.5.2 to get this updated parser but we recommend using our repo and updating to latest as you will be missing a lot of updates from other parsers too.

Thanks for help.

My /etc/crowdsec/config.yaml is the distribution default:

```yaml common: daemonize: true log_media: file log_level: info log_dir: /var/log/ log_max_size: 20 compress_logs: true log_max_files: 10 working_dir: . config_paths: config_dir: /etc/crowdsec/ data_dir: /var/lib/crowdsec/data/ simulation_path: /etc/crowdsec/simulation.yaml hub_dir: /var/lib/crowdsec/hub/ index_path: /var/lib/crowdsec/hub/.index.json notification_dir: /etc/crowdsec/notifications/ plugin_dir: /usr/lib/crowdsec/plugins/ crowdsec_service: acquisition_path: /etc/crowdsec/acquis.yaml acquisition_dir: /etc/crowdsec/acquis.d parser_routines: 1 cscli: output: human color: auto db_config: log_level: info type: sqlite db_path: /var/lib/crowdsec/data/crowdsec.db #max_open_conns: 100 #user: #password: #db_name: #host: #port: flush: max_items: 5000 max_age: 7d plugin_config: user: nobody # plugin process would be ran on behalf of this user group: nogroup # plugin process would be ran on behalf of this group api: client: insecure_skip_verify: false credentials_path: /etc/crowdsec/local_api_credentials.yaml server: log_level: info listen_uri: 127.0.0.1:8080 profiles_path: /etc/crowdsec/profiles.yaml console_path: /etc/crowdsec/console.yaml online_client: # Central API credentials (to push signals and receive bad IPs) credentials_path: /etc/crowdsec/online_api_credentials.yaml trusted_ips: # IP ranges, or IPs which can have admin API access - 127.0.0.1 - ::1 # tls: # cert_file: /etc/crowdsec/ssl/cert.pem # key_file: /etc/crowdsec/ssl/key.pem prometheus: enabled: true level: full listen_addr: 127.0.0.1 listen_port: 6060 ```

config_paths:
  hub_dir: /var/lib/crowdsec/hub/

The files are symlinks to the same folder so it looks like the issue is something else.

```console # ls -la /etc/crowdsec/parsers/ total 20 drwxr-xr-x 5 root root 4096 Jul 22 19:58 . drwxr-xr-x 7 root root 4096 Jul 22 21:18 .. drwxr-xr-x 2 root root 4096 Jul 22 19:58 s00-raw drwxr-xr-x 2 root root 4096 Jul 22 20:09 s01-parse drwxr-xr-x 2 root root 4096 Jul 23 08:36 s02-enrich # ls -la /etc/crowdsec/parsers/s01-parse/ total 32 drwxr-xr-x 2 root root 4096 Jul 22 20:09 . drwxr-xr-x 5 root root 4096 Jul 22 19:58 .. lrwxrwxrwx 1 root root 71 Jul 22 19:58 apache2-logs.yaml -> /var/lib/crowdsec/hub/parsers/s01-parse/crowdsecurity/apache2-logs.yaml lrwxrwxrwx 1 root root 71 Jul 22 20:00 dovecot-logs.yaml -> /var/lib/crowdsec/hub/parsers/s01-parse/crowdsecurity/dovecot-logs.yaml lrwxrwxrwx 1 root root 69 Jul 22 19:58 nginx-logs.yaml -> /var/lib/crowdsec/hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml lrwxrwxrwx 1 root root 71 Jul 22 20:00 postfix-logs.yaml -> /var/lib/crowdsec/hub/parsers/s01-parse/crowdsecurity/postfix-logs.yaml lrwxrwxrwx 1 root root 74 Jul 22 20:09 postscreen-logs.yaml -> /var/lib/crowdsec/hub/parsers/s01-parse/crowdsecurity/postscreen-logs.yaml lrwxrwxrwx 1 root root 68 Jul 22 19:58 sshd-logs.yaml -> /var/lib/crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml ```

I understand that the CrowdSec repo contains the most recent software, I would like to use the Debian stable repo as I like their conservative approach for a release, which usually allows me to auto-update packages with no manual interaction.

Thanks for help.

My /etc/crowdsec/config.yaml is the distribution default:
config_paths:
  hub_dir: /var/lib/crowdsec/hub/
The files are symlinks to the same folder so it looks like the issue is something else.

I understand that the CrowdSec repo contains the most recent software, I would like to use the Debian stable repo as I like their conservative approach for a release, which usually allows me to auto-update packages with no manual interaction.

Okay but to get the latest updates to parsers you need to progress along with CrowdSec versioning since debian stable is quite behind we cant really do much. The only other thing is manually updating the file by downloading it and testing it yourself.

We dont backport to 1.4 as its currently not a supported version from the CrowdSec team, we currently support 1.5 and 1.6 retrospective to minor versions.

crowdsecurity / crowdsec