v1.5.3-rc2

Changes

• do not send more than group_threshold alerts at once to a notification plugin (#2264) @mmetc
• cscli: add G (1e9) suffix to metric units (#2254) @mmetc

New Features

• Add bayesian bucket type (#2290) @seemanne
• allow running rootless docker tests (#2281) @mmetc

Improvements

• support for stdin with "cscli decision import" and raw values (#2291) @mmetc
• non-fatal error if some datasource can't be run (i.e. journalctl but systemd is missing) (#2309) @mmetc
• Build with libre2 by default, options for wasm and static; add mk/gmsl (#2295) @mmetc
• send metrics sooner if agents are added/removed (#2296) @mmetc
• append vendor.tgz to each release (#2288) @mmetc
• CI: vagrant configuration for debian 12 (#2285) @LaurenceJJones
• CI: Remove cache entries when closing a PR (#2289) @mmetc
• Update jsonextract.go (#2287) @LaurenceJJones
• Implement "crowdsec -fatal" flag; change help message (#2266) @mmetc
• don't log systemd notification error if not running under systemd (#2274) @mmetc
• build against libre2-dev if found (#2255) @mmetc
• log.Warning if a notification is configured twice (#2240) @mmetc
• CI: publish dev-debian docker image (amd64 only) (#2252) @mmetc
• CI: use hub cli to upload release tar (#2244) @mmetc

Bug Fixes

• add object key in src for S3 acquis (#2342) @blotus
• Properly match new files on windows when doing file acquisition (#2329) @blotus
• rename status to state in fire response (#2313) @blotus
• raise error with invalid 'on_success', 'on_failure' in profile (#2303) @mmetc
• docker: always merge .yaml.local in conf_get() (#2272) @mmetc
• Change api_key encoding to base64 to comply with bcrypt max size (#2302) @mmetc
• fix error message when failing to parse ip address or range (#2292) @mmetc

Chore / Deps

• update dependency on goccy/go-yaml for arm32 fix (#2343) @mmetc
• CI: bump and lock pytest dependencies (#2340) @mmetc
• Update grpc dependency to latest stable version (#2339) @mmetc
• errors.Wrap -> fmt.Errorf (#2333) @mmetc
• CI: reduce test verbosity; set PKG_CONFIG_PATH for re2 in rpm distros (#2331) @mmetc
• Update go-re2 dep to fix arm32 build (#2332) @mmetc
• tests: vagrant refactoring (#2328) @mmetc
• CI: update ansible tests for re2 (#2318) @mmetc
• errors.Wrap -> fmt.Errorf (#2317) @mmetc
• func tests: install some dependencies from make, log test helpers (#2314) @mmetc
• rename metabase APIClient to avoid confusion (#2305) @mmetc
• CI: Update setup-go action to v4 (with automatic cache) (#2168) @mmetc
• docker: build same re2 version for alpine/debian; bump yq (#2311) @mmetc
• update debian version to have latest systemd (#2304) @he2ss
• CI: build docker version with c++ re2 (static) (#2307) @mmetc
• errors.Wrap -> fmt.Errorf; clean up imports (#2301) @mmetc
• CI: add fedora-37, -38 to vagrant tests (#2299) @mmetc
• update leakybucket readme (#2298) @mmetc
• errors.Wrap -> fmt.Errorf (#2297) @mmetc
• Update go dependencies (#2293) @mmetc
• spellcheck/style leakybucket readme (#2294) @mmetc
• Use go 1.20.5 (#2280) @mmetc
• light pkg/parser cleanup (#2279) @mmetc
• trim pkg/types: move DataSet/GetData to pkg/cwhub, removed unused Clone function (#2271) @mmetc
• add missing import (#2275) @mmetc
• minor refactor to pkg/types, cscli machines (#2270) @mmetc
• Move grok_pattern.go away from pkg/types to reduce bouncer dependencies (#2269) @mmetc
• don't pre-create log files (not required anymore) (#2267) @mmetc
• CI: add tests for metrics configuration (#2251) @mmetc
• CI: refactor makefile for plugins and vendor target (#2256) @mmetc
• update notif threshold test on windows (#2265) @mmetc
• show option -winsvc only under windows (#2258) @mmetc
• CI: make clean -> remove coverage data (#2259) @mmetc
• make: allow using a development version of Go, with a warning (#2260) @mmetc
• gitignore: ignore .vagrant directories (#2262) @mmetc
• default config: simulation off -> false (yaml 1.2) (#2263) @mmetc
• dependencies: replaced function calls to pkg/types, errors.Wrap (#2235) @mmetc
• CI: refactoring pkg/csplugin (#2247) @mmetc
• CI: separate stderr in all func tests (#2250) @mmetc
• update libsystemd in debian docker image (#2245) @he2ss
• types.InSlice() -> slices.Contains() (#2246) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.3-rc1

New Features

• Add bayesian bucket type (#2290) @seemanne

Improvements

• support for stdin with "cscli decision import" and raw values (#2291) @mmetc
• non-fatal error if some datasource can't be run (i.e. journalctl but systemd is missing) (#2309) @mmetc
• Build with libre2 by default, options for wasm and static; add mk/gmsl (#2295) @mmetc
• send metrics sooner if agents are added/removed (#2296) @mmetc
• append vendor.tgz to each release (#2288) @mmetc
• CI: vagrant configuration for debian 12 (#2285) @LaurenceJJones
• CI: Remove cache entries when closing a PR (#2289) @mmetc
• Update jsonextract.go (#2287) @LaurenceJJones
• Implement "crowdsec -fatal" flag; change help message (#2266) @mmetc
• don't log systemd notification error if not running under systemd (#2274) @mmetc
• build against libre2-dev if found (#2255) @mmetc
• log.Warning if a notification is configured twice (#2240) @mmetc
• CI: publish dev-debian docker image (amd64 only) (#2252) @mmetc
• CI: use hub cli to upload release tar (#2244) @mmetc

Bug Fixes

• rename status to state in fire response (#2313) @blotus
• raise error with invalid 'on_success', 'on_failure' in profile (#2303) @mmetc
• docker: always merge .yaml.local in conf_get() (#2272) @mmetc
• Change api_key encoding to base64 to comply with bcrypt max size (#2302) @mmetc
• fix error message when failing to parse ip address or range (#2292) @mmetc

Chore / Deps

• CI: update ansible tests for re2 (#2318) @mmetc
• errors.Wrap -> fmt.Errorf (#2317) @mmetc
• func tests: install some dependencies from make, log test helpers (#2314) @mmetc
• rename metabase APIClient to avoid confusion (#2305) @mmetc
• CI: Update setup-go action to v4 (with automatic cache) (#2168) @mmetc
• docker: build same re2 version for alpine/debian; bump yq (#2311) @mmetc
• update debian version to have latest systemd (#2304) @he2ss
• CI: build docker version with c++ re2 (static) (#2307) @mmetc
• errors.Wrap -> fmt.Errorf; clean up imports (#2301) @mmetc
• CI: add fedora-37, -38 to vagrant tests (#2299) @mmetc
• update leakybucket readme (#2298) @mmetc
• errors.Wrap -> fmt.Errorf (#2297) @mmetc
• Update go dependencies (#2293) @mmetc
• spellcheck/style leakybucket readme (#2294) @mmetc
• Use go 1.20.5 (#2280) @mmetc
• light pkg/parser cleanup (#2279) @mmetc
• trim pkg/types: move DataSet/GetData to pkg/cwhub, removed unused Clone function (#2271) @mmetc
• add missing import (#2275) @mmetc
• minor refactor to pkg/types, cscli machines (#2270) @mmetc
• Move grok_pattern.go away from pkg/types to reduce bouncer dependencies (#2269) @mmetc
• don't pre-create log files (not required anymore) (#2267) @mmetc
• CI: add tests for metrics configuration (#2251) @mmetc
• CI: refactor makefile for plugins and vendor target (#2256) @mmetc
• update notif threshold test on windows (#2265) @mmetc
• show option -winsvc only under windows (#2258) @mmetc
• CI: make clean -> remove coverage data (#2259) @mmetc
• make: allow using a development version of Go, with a warning (#2260) @mmetc
• gitignore: ignore .vagrant directories (#2262) @mmetc
• default config: simulation off -> false (yaml 1.2) (#2263) @mmetc
• dependencies: replaced function calls to pkg/types, errors.Wrap (#2235) @mmetc
• CI: refactoring pkg/csplugin (#2247) @mmetc
• CI: separate stderr in all func tests (#2250) @mmetc
• update libsystemd in debian docker image (#2245) @he2ss
• types.InSlice() -> slices.Contains() (#2246) @mmetc

Changes

• do not send more than group_threshold alerts at once to a notification plugin (#2264) @mmetc
• cscli: add G (1e9) suffix to metric units (#2254) @mmetc
• allow running rootless docker tests (#2281) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.2

Changes

Improvements

• generate asserts for evt.Unmarshaled in hubtest (#2214) @blotus
• Log info capi whitelists (#2220) @LaurenceJJones
• support capi_whitelists.yaml (#2224) @mmetc

Bug Fixes

• Update KV ignore whitespace before and after = (#2236) @LaurenceJJones
• fix lock when dumping the parsing state in explain mode (#2234) @blotus
• test cleanup: remove /tmp/crowdsec_tests* directories (#2232) @mmetc
• merge system cert pool with own certs (#2226) @mmetc

Chore / Deps

• decouple bouncer dependencies: use go-cs-lib/pkg/ptr (#2228) @mmetc
• decouple bouncer dependencies: use go-cs-lib in test code (#2229) @mmetc
• makefiles: de-duplicate, simplify and remove unused code (#2222) @mmetc
• decouple bouncer dependencies: use go-cs-lib/pkg/ptr in apiclient (#2227) @mmetc
• decouple bouncer dependencies: use go-cs-lib/pkg/* (#2216) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.2-rc1

Changes

Improvements

• Log info capi whitelists (#2220) @LaurenceJJones
• support capi_whitelists.yaml (#2224) @mmetc

Bug Fixes

• test cleanup: remove /tmp/crowdsec_tests* directories (#2232) @mmetc
• merge system cert pool with own certs (#2226) @mmetc

Chore / Deps

• decouple bouncer dependencies: use go-cs-lib/pkg/ptr (#2228) @mmetc
• decouple bouncer dependencies: use go-cs-lib in test code (#2229) @mmetc
• makefiles: de-duplicate, simplify and remove unused code (#2222) @mmetc
• decouple bouncer dependencies: use go-cs-lib/pkg/ptr in apiclient (#2227) @mmetc
• decouple bouncer dependencies: use go-cs-lib/pkg/* (#2216) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.1

Security Notice

This release includes a security fix for the Windows version of crowdsec regarding a potential privesc when installing crowdsec in a non-default path (different than C:\Program Files\CrowdSec).
This release removes the ability to choose a custom installation path. If you have installed crowdsec in a non-default path, we strongly encourage you to reinstall crowdsec at the default location.

Changes

Bug Fixes

• fallback to master for hub index download if it does not exist (#2210) @blotus
• Don't allow to customize the installation directory on windows (#2208) @blotus
• fix incorrect version strip (#2206) @blotus

Chore / Deps

• Use go 1.20.4 (#2209) @mmetc
• gitignore: allow shipping wasm libs with vendored files (#2207) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.0

New Features

• Add transform configuration option for acquisition (#2144) @blotus
• Add experimental support for re2 (#2138) @blotus
• S3 acquisition datasource (#2130) @blotus
• support ip and cidr based whitelists for capi and 3rd party blocklists (#2132) @buixor
• try to make reproducible build work (#2119) @sabban
• Distance support : Impossible travel (#2108) @buixor
• Implement "cscli config show-yaml" (#2191) @mmetc
• Add ParseKV and UnmarshalJSON helper (#2184) @LaurenceJJones
• add Hostname helper in expr and templating (#2193) @blotus
• Add B64decode expr helper (#2183) @blotus
• add a LogInfo expr helper (#2179) @buixor

Improvements

• Add cscli papi status and cscli papi sync (#2091) @blotus
• add papi_url in credentials file when enabling console_management, and remove it when disabling console_management (#2095) @blotus
• display source in alerts list when an alert has multiple decisions (#2098) @blotus
• New PAPI commands: reauth + force_pull (#2129) @blotus
• do not try to load PAPI is url is not set (#2099) @blotus
• CI: Static builds by default; replace bincover with go -cover from 1.20 (#2150) @mmetc
• File acquisition: log "file reopen" events instead of writing to stderr (#2139) @mmetc
• Allow running func tests while running containers with crowdsec (#2137) @mmetc
• match expr helper (#2126) @buixor
• properly update the time structure within event (#2122) @buixor
• add ToString() helper (#2100) @blotus
• Docker readme: update build instructions, recommend acquis.d and config.yaml.local (#2115) @mmetc
• add --origin to cscli decisions delete (#2109) @buixor
• support for regexps result cache (#2104) @buixor
• CI: Cache all built go modules (#2081) @mmetc
• Explain successful parsers only (#2063) @LaurenceJJones
• Option to disable remote lapi registration (#2010) @LaurenceJJones
• Stream decisions from db (#1927) @blotus
• CI: functional docker tests (#2056) @mmetc
• Show s00 stats instead of "first_parser" (#2055) @LaurenceJJones
• optimize blocklist fetch (#2039) @nitescuc
• optimization - remove useless login call (#2036) @nitescuc
• Add IsIPV4() and IsIP() helpers (#2050) @blotus
• more strings helpers (#2040) @buixor
• update default windows acquisition configuration (#2195) @blotus
• allow batching when importing decisions (#2192) @buixor

Bug Fixes

• Wait for both api and agent chans if necessary when daemonize is false or running on windows (#2155) @blotus
• check if the acquis tomb is dying while processing logs in replay mode for file/s3/docker (#2152) @blotus
• Properly load k8s audit configuration (#2158) @mmetc
• Allow subcommands to be activated by feature.yaml (#2156) @mmetc
• fix awkward stacktrace in conditional filter (#2145) @buixor
• Docker: don't re-register local agent if not needed (#2141) @mmetc
• Docker: correct behavior of AGENTS_ALLOWED_OU, BOUNCERS_ALLOWED_OU (#2140) @mmetc
• Unit tests: remove leftover files (#2134) @mmetc
• Report docker systems in version and user agents (#2136) @mmetc
• fix dateparse (#2135) @buixor
• CI: avoid conflict with pkg/build cache in golangci-lint action (#2123) @mmetc
• actually fix expr-debugger to work with the new version (#2124) @blotus
• cscli explain : avoid concurrent map writes (#2113) @buixor
• Fix cscli explain when running from testenv (#2114) @AlteredCoder
• Load lapi config for config show output (#2097) @mmetc
• Fix docker tests by increasing timeout (#2107) @mmetc
• Unit tests: fix authentication to localstack (#2106) @mmetc
• Fix log destination in one-shot mode (#2084) @mmetc
• CI: Limit parallel docker builds for performance on small machines (#2082) @mmetc
• ugly workaround to fix the tests (#2080) @sabban
• fix the way acquisition is stopped (#2069) @sabban
• Strip version with ~ instead of - (#2076) @AlteredCoder
• Fix docker tests (network creation) (#2077) @mmetc
• email plugin: add "starttls" as accepted encryption_type in the comment (#2068) @mmetc
• Propagate taints to top collections (fix #2064) (#2066) @mmetc
• fix message "empty scenario" (#2065) @mmetc
• Do not try to refresh JWT token when doing a login request (#2059) @blotus
• add indexes on the FK between alerts and {decisions,metas,events} (#2188) @blotus
• defaults to inotify to detect changes in file datasource to avoid too many call to stat() (#2181) @blotus

Chore / Deps

• timeout of ci jobs (20 -> 30) (#2160) @buixor
• Rename k8s_audit to k8s-audit (easier to type, consistent with labels) (#2153) @mmetc
• use expr.Function for custom functions instead of passing them in the env (#2133) @blotus
• Only use pgx for postgresql database (#2118) @blotus
• Update expr (#2110) @blotus
• Fix docker tests by increasing timeout (again) and move compose test to plugin (#2112) @mmetc
• Lint (type inference): remove redundant type declarations (#2111) @mmetc
• Run lint after tests instead of separate workflow (#2103) @mmetc
• Build notification plugins with current crowdsec; mod tidy (#2102) @mmetc
• Make: extract "goversion.mk" to reuse it in bouncers (#2101) @mmetc
• Rename directory "tests" to "test" (#2094) @mmetc
• Add tests and typo fixes (#2092) @mmetc
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/slack (#2088) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/splunk (#2086) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/http (#2087) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/email (#2085) @dependabot
• Bump golang.org/x/net from 0.0.0-20220722155237-a158d28d115b to 0.7.0 (#2089) @dependabot
• CI: limit -dev docker image to amd64 to speed up the pipeline (#2090) @mmetc
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/http (#2074) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/email (#2073) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/splunk (#2071) @dependabot
• Bump bats-core to 1.9 (#2083) @mmetc
• Bump golang.org/x/text from 0.3.7 to 0.3.8 (#2072) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/slack (#2070) @dependabot
• Docker tests: use pytest-cs 0.2 (#2079) @mmetc
• Pin pytest-cs to a stable tag, cache virtualenvs, don't install ipython in CI (#2075) @mmetc
• chore: simplify pkg/database/alerts (#2062) @mmetc
• replace log.Fatal -> fmt.Errorf (#2058) @mmetc
• Bump github.com/containerd/containerd from 1.6.12 to 1.6.18 (#2060) @dependabot
• Bump github.com/docker/distribution from 2.7.1+incompatible to 2.8.0+incompatible (#1996) @dependabot
• CAPI error code handling tests (#2027) @rr404
• CI: set GOBIN instead of go install + cp (#2030) @mmetc
• CI: build with go 1.20 (#2031) @mmetc
• test: bats-detect tests for "cscli setup" (#2057) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.0-rc6

New Features

• Add transform configuration option for acquisition (#2144) @blotus
• Add experimental support for re2 (#2138) @blotus
• S3 acquisition datasource (#2130) @blotus
• support ip and cidr based whitelists for capi and 3rd party blocklists (#2132) @buixor
• try to make reproducible build work (#2119) @sabban
• Distance support : Impossible travel (#2108) @buixor
• Implement "cscli config show-yaml" (#2191) @mmetc
• Add ParseKV and UnmarshalJSON helper (#2184) @LaurenceJJones
• add Hostname helper in expr and templating (#2193) @blotus
• Add B64decode expr helper (#2183) @blotus
• add a LogInfo expr helper (#2179) @buixor

Improvements

• Add cscli papi status and cscli papi sync (#2091) @blotus
• add papi_url in credentials file when enabling console_management, and remove it when disabling console_management (#2095) @blotus
• display source in alerts list when an alert has multiple decisions (#2098) @blotus
• New PAPI commands: reauth + force_pull (#2129) @blotus
• do not try to load PAPI is url is not set (#2099) @blotus
• CI: Static builds by default; replace bincover with go -cover from 1.20 (#2150) @mmetc
• File acquisition: log "file reopen" events instead of writing to stderr (#2139) @mmetc
• Allow running func tests while running containers with crowdsec (#2137) @mmetc
• match expr helper (#2126) @buixor
• properly update the time structure within event (#2122) @buixor
• add ToString() helper (#2100) @blotus
• Docker readme: update build instructions, recommend acquis.d and config.yaml.local (#2115) @mmetc
• add --origin to cscli decisions delete (#2109) @buixor
• support for regexps result cache (#2104) @buixor
• CI: Cache all built go modules (#2081) @mmetc
• Explain successful parsers only (#2063) @LaurenceJJones
• Option to disable remote lapi registration (#2010) @LaurenceJJones
• Stream decisions from db (#1927) @blotus
• CI: functional docker tests (#2056) @mmetc
• Show s00 stats instead of "first_parser" (#2055) @LaurenceJJones
• optimize blocklist fetch (#2039) @nitescuc
• optimization - remove useless login call (#2036) @nitescuc
• Add IsIPV4() and IsIP() helpers (#2050) @blotus
• more strings helpers (#2040) @buixor
• update default windows acquisition configuration (#2195) @blotus
• allow batching when importing decisions (#2192) @buixor

Bug Fixes

• Wait for both api and agent chans if necessary when daemonize is false or running on windows (#2155) @blotus
• check if the acquis tomb is dying while processing logs in replay mode for file/s3/docker (#2152) @blotus
• Properly load k8s audit configuration (#2158) @mmetc
• Allow subcommands to be activated by feature.yaml (#2156) @mmetc
• fix awkward stacktrace in conditional filter (#2145) @buixor
• Docker: don't re-register local agent if not needed (#2141) @mmetc
• Docker: correct behavior of AGENTS_ALLOWED_OU, BOUNCERS_ALLOWED_OU (#2140) @mmetc
• Unit tests: remove leftover files (#2134) @mmetc
• Report docker systems in version and user agents (#2136) @mmetc
• fix dateparse (#2135) @buixor
• CI: avoid conflict with pkg/build cache in golangci-lint action (#2123) @mmetc
• actually fix expr-debugger to work with the new version (#2124) @blotus
• cscli explain : avoid concurrent map writes (#2113) @buixor
• Fix cscli explain when running from testenv (#2114) @AlteredCoder
• Load lapi config for config show output (#2097) @mmetc
• Fix docker tests by increasing timeout (#2107) @mmetc
• Unit tests: fix authentication to localstack (#2106) @mmetc
• Fix log destination in one-shot mode (#2084) @mmetc
• CI: Limit parallel docker builds for performance on small machines (#2082) @mmetc
• ugly workaround to fix the tests (#2080) @sabban
• fix the way acquisition is stopped (#2069) @sabban
• Strip version with ~ instead of - (#2076) @AlteredCoder
• Fix docker tests (network creation) (#2077) @mmetc
• email plugin: add "starttls" as accepted encryption_type in the comment (#2068) @mmetc
• Propagate taints to top collections (fix #2064) (#2066) @mmetc
• fix message "empty scenario" (#2065) @mmetc
• Do not try to refresh JWT token when doing a login request (#2059) @blotus
• add indexes on the FK between alerts and {decisions,metas,events} (#2188) @blotus
• defaults to inotify to detect changes in file datasource to avoid too many call to stat() (#2181) @blotus

Chore / Deps

• timeout of ci jobs (20 -> 30) (#2160) @buixor
• Rename k8s_audit to k8s-audit (easier to type, consistent with labels) (#2153) @mmetc
• use expr.Function for custom functions instead of passing them in the env (#2133) @blotus
• Only use pgx for postgresql database (#2118) @blotus
• Update expr (#2110) @blotus
• Fix docker tests by increasing timeout (again) and move compose test to plugin (#2112) @mmetc
• Lint (type inference): remove redundant type declarations (#2111) @mmetc
• Run lint after tests instead of separate workflow (#2103) @mmetc
• Build notification plugins with current crowdsec; mod tidy (#2102) @mmetc
• Make: extract "goversion.mk" to reuse it in bouncers (#2101) @mmetc
• Rename directory "tests" to "test" (#2094) @mmetc
• Add tests and typo fixes (#2092) @mmetc
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/slack (#2088) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/splunk (#2086) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/http (#2087) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/email (#2085) @dependabot
• Bump golang.org/x/net from 0.0.0-20220722155237-a158d28d115b to 0.7.0 (#2089) @dependabot
• CI: limit -dev docker image to amd64 to speed up the pipeline (#2090) @mmetc
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/http (#2074) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/email (#2073) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/splunk (#2071) @dependabot
• Bump bats-core to 1.9 (#2083) @mmetc
• Bump golang.org/x/text from 0.3.7 to 0.3.8 (#2072) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/slack (#2070) @dependabot
• Docker tests: use pytest-cs 0.2 (#2079) @mmetc
• Pin pytest-cs to a stable tag, cache virtualenvs, don't install ipython in CI (#2075) @mmetc
• chore: simplify pkg/database/alerts (#2062) @mmetc
• replace log.Fatal -> fmt.Errorf (#2058) @mmetc
• Bump github.com/containerd/containerd from 1.6.12 to 1.6.18 (#2060) @dependabot
• Bump github.com/docker/distribution from 2.7.1+incompatible to 2.8.0+incompatible (#1996) @dependabot
• CAPI error code handling tests (#2027) @rr404
• CI: set GOBIN instead of go install + cp (#2030) @mmetc
• CI: build with go 1.20 (#2031) @mmetc
• test: bats-detect tests for "cscli setup" (#2057) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.0-rc5

New Features

• Add transform configuration option for acquisition (#2144) @blotus
• Add experimental support for re2 (#2138) @blotus
• S3 acquisition datasource (#2130) @blotus
• support ip and cidr based whitelists for capi and 3rd party blocklists (#2132) @buixor
• try to make reproducible build work (#2119) @sabban
• Distance support : Impossible travel (#2108) @buixor

Improvements

• Add cscli papi status and cscli papi sync (#2091) @blotus
• add papi_url in credentials file when enabling console_management, and remove it when disabling console_management (#2095) @blotus
• display source in alerts list when an alert has multiple decisions (#2098) @blotus
• New PAPI commands: reauth + force_pull (#2129) @blotus
• do not try to load PAPI is url is not set (#2099) @blotus
• CI: Static builds by default; replace bincover with go -cover from 1.20 (#2150) @mmetc
• File acquisition: log "file reopen" events instead of writing to stderr (#2139) @mmetc
• Allow running func tests while running containers with crowdsec (#2137) @mmetc
• match expr helper (#2126) @buixor
• properly update the time structure within event (#2122) @buixor
• add ToString() helper (#2100) @blotus
• Docker readme: update build instructions, recommend acquis.d and config.yaml.local (#2115) @mmetc
• add --origin to cscli decisions delete (#2109) @buixor
• support for regexps result cache (#2104) @buixor
• CI: Cache all built go modules (#2081) @mmetc
• Explain successful parsers only (#2063) @LaurenceJJones
• Option to disable remote lapi registration (#2010) @LaurenceJJones
• Stream decisions from db (#1927) @blotus
• CI: functional docker tests (#2056) @mmetc
• Show s00 stats instead of "first_parser" (#2055) @LaurenceJJones
• optimize blocklist fetch (#2039) @nitescuc
• optimization - remove useless login call (#2036) @nitescuc
• Add IsIPV4() and IsIP() helpers (#2050) @blotus
• more strings helpers (#2040) @buixor

Bug Fixes

• Wait for both api and agent chans if necessary when daemonize is false or running on windows (#2155) @blotus
• check if the acquis tomb is dying while processing logs in replay mode for file/s3/docker (#2152) @blotus
• Properly load k8s audit configuration (#2158) @mmetc
• Allow subcommands to be activated by feature.yaml (#2156) @mmetc
• fix awkward stacktrace in conditional filter (#2145) @buixor
• Docker: don't re-register local agent if not needed (#2141) @mmetc
• Docker: correct behavior of AGENTS_ALLOWED_OU, BOUNCERS_ALLOWED_OU (#2140) @mmetc
• Unit tests: remove leftover files (#2134) @mmetc
• Report docker systems in version and user agents (#2136) @mmetc
• fix dateparse (#2135) @buixor
• CI: avoid conflict with pkg/build cache in golangci-lint action (#2123) @mmetc
• actually fix expr-debugger to work with the new version (#2124) @blotus
• cscli explain : avoid concurrent map writes (#2113) @buixor
• Fix cscli explain when running from testenv (#2114) @AlteredCoder
• Load lapi config for config show output (#2097) @mmetc
• Fix docker tests by increasing timeout (#2107) @mmetc
• Unit tests: fix authentication to localstack (#2106) @mmetc
• Fix log destination in one-shot mode (#2084) @mmetc
• CI: Limit parallel docker builds for performance on small machines (#2082) @mmetc
• ugly workaround to fix the tests (#2080) @sabban
• fix the way acquisition is stopped (#2069) @sabban
• Strip version with ~ instead of - (#2076) @AlteredCoder
• Fix docker tests (network creation) (#2077) @mmetc
• email plugin: add "starttls" as accepted encryption_type in the comment (#2068) @mmetc
• Propagate taints to top collections (fix #2064) (#2066) @mmetc
• fix message "empty scenario" (#2065) @mmetc
• Do not try to refresh JWT token when doing a login request (#2059) @blotus

Chore / Deps

• timeout of ci jobs (20 -> 30) (#2160) @buixor
• Rename k8s_audit to k8s-audit (easier to type, consistent with labels) (#2153) @mmetc
• use expr.Function for custom functions instead of passing them in the env (#2133) @blotus
• Only use pgx for postgresql database (#2118) @blotus
• Update expr (#2110) @blotus
• Fix docker tests by increasing timeout (again) and move compose test to plugin (#2112) @mmetc
• Lint (type inference): remove redundant type declarations (#2111) @mmetc
• Run lint after tests instead of separate workflow (#2103) @mmetc
• Build notification plugins with current crowdsec; mod tidy (#2102) @mmetc
• Make: extract "goversion.mk" to reuse it in bouncers (#2101) @mmetc
• Rename directory "tests" to "test" (#2094) @mmetc
• Add tests and typo fixes (#2092) @mmetc
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/slack (#2088) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/splunk (#2086) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/http (#2087) @dependabot
• Bump golang.org/x/net from 0.0.0-20220418201149-a630d4f3e7a2 to 0.7.0 in /plugins/notifications/email (#2085) @dependabot
• Bump golang.org/x/net from 0.0.0-20220722155237-a158d28d115b to 0.7.0 (#2089) @dependabot
• CI: limit -dev docker image to amd64 to speed up the pipeline (#2090) @mmetc
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/http (#2074) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/email (#2073) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/splunk (#2071) @dependabot
• Bump bats-core to 1.9 (#2083) @mmetc
• Bump golang.org/x/text from 0.3.7 to 0.3.8 (#2072) @dependabot
• Bump golang.org/x/text from 0.3.7 to 0.3.8 in /plugins/notifications/slack (#2070) @dependabot
• Docker tests: use pytest-cs 0.2 (#2079) @mmetc
• Pin pytest-cs to a stable tag, cache virtualenvs, don't install ipython in CI (#2075) @mmetc
• chore: simplify pkg/database/alerts (#2062) @mmetc
• replace log.Fatal -> fmt.Errorf (#2058) @mmetc
• Bump github.com/containerd/containerd from 1.6.12 to 1.6.18 (#2060) @dependabot
• Bump github.com/docker/distribution from 2.7.1+incompatible to 2.8.0+incompatible (#1996) @dependabot
• CAPI error code handling tests (#2027) @rr404
• CI: set GOBIN instead of go install + cp (#2030) @mmetc
• CI: build with go 1.20 (#2031) @mmetc
• test: bats-detect tests for "cscli setup" (#2057) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.0-rc4

New Features

• Polling API Integration (behind feature flag) (#1715) @buixor
• Kubernetes audit acquisition (#1767) @blotus
• Crowdsec CTI API helpers (#1851) @buixor
• Alert context (#1895) @AlteredCoder
• cscli setup subcommand (behind feature flag) (#1923) @mmetc
• Feature flags support (#1933) @mmetc
• Conditional buckets (#1962) @blotus
• Allow parsers to capture data for future enrichment (#1969) @buixor
• S3 acquisition datasource (#2130) @blotus
• support IP and CIDR based whitelists for CAPI and 3rd party blocklists (#2132) @buixor
• Add transform configuration option for acquisition (#2144) @blotus
• Add experimental support for re2 (#2138) @blotus

Improvements

• Stream decisions from db (behind feature flag) (#1927) @blotus
• CI: functional docker tests (#2056) @mmetc
• Show s00 stats instead of "first_parser" (#2055) @LaurenceJJones
• optimize blocklist fetch (#2039) @nitescuc
• optimization - remove useless login call (#2036) @nitescuc
• Add IsIPV4() and IsIP() helpers (#2050) @blotus
• Add more strings helpers (#2040) @buixor
• Improve warnings around lack of evt.StrTime field (#1954) @buixor
• Add unix expr helper (#1952) @LaurenceJJones
• acquisition: validate datasources before configuration (static checks) (#1841) @mmetc
• CAPI v3 and blocklists links support (#2019) @nitescuc
• Docker: add cri-logs collection by default to support CRI log format (#2005) @he2ss
• add -error flag to crowdsec binary (#1903) @mmetc
• Suggest bouncers and machines to delete (#1896) @sabban
• Add socket support to mysql or mariadb (#1911) @LaurenceJJones
• Add postgres socket support (#1926) @LaurenceJJones
• docker: separate CLIENT_* and LAPI_* variables for tls certificates (#1929) @mmetc
• systemd: same restart options across deb, rpm, wizard (#1948) @mmetc
• Add unix time support to dateparse enricher (#1958) @LaurenceJJones
• retry with backoff requests to CAPI (#1957) @nitescuc
• fix yq behavior with bind-mount config.yaml (#1968) @mmetc
• cscli explain: add crowdsec path option (#1983) @mmetc
• normalize scopes for alerts and decisions (#2001) @buixor
• cscli config feature-flags (#2006) @mmetc
• docker: skip temporary installation of disabled items (#2018) @mmetc
• add dev docker image (based on master) (#2024) @he2ss
• Distance expr helper : Impossible travel (#2108) @buixor
• match expr helper (#2126) @buixor
• add ToString() helper (#2100) @blotus

Bug Fixes

• Do not try to refresh JWT token when doing a login request (#2059) @blotus
• Fix azure pipeline (#2041, #2044, #2046, #2048) @blotus
• clean up BUILD_GOVERSION which is set at runtime with runtime lib (#1901) @sabban
• remove pid_dir from config (#1906) @mmetc
• docker: correctly extract BOUNCER_KEY_* (#1913) @mmetc
• set cscli log timestamp to 24h (#1917) @mmetc
• docker: improve support for persistent configurations (#1915) @mmetc
• apiclient: fix http roundtrip (clone body also) (#1758) @he2ss
• ci: authenticate when looking up release information (#1936) @mmetc
• remove ignored flag "-m" in "cscli machines delete" (#1943) @mmetc
• fix tls communication with lapi and user/pw auth (#1956) @mmetc
• func tests: redirect stderr to filter extra logs (#1961) @mmetc
• fix parser test 2k23 (#1971) @mmetc
• Docker config/auth/TLS refactoring from v1.4.4 (#1967) @mmetc
• fix alert context CI when feature flags are enabled (#1979) @mmetc
• docker: add {VERSION}-slim tag to releases (#1977) @mmetc
• Change yaml patch from info to debug (#1980) @LaurenceJJones
• cscli: avoid initializing the db configuration twice (#1982) @mmetc
• silence yaml.local explicitly in cscli, keep in crowdsec/bouncer logs (#1981) @mmetc
• fix flaky parser unit test (#1985) @mmetc
• Fix docker_start.sh not properly handling env vars (#1993) @ruifung
• Fix reference to ghcr.io (#1999) @benscobie
• agent: fix message when -dsn is provided without -type (#2009) @mmetc
• allow use of literal $ in config.yaml (#2012) @mmetc
• allow literal $ in plugin configuration (#2015) @mmetc
• fix docker support for legacy vars (#2021) @mmetc
• error if tls.key_file or cert_file is missing (#2020)
• fix message "empty scenario" (#2065) @mmetc
• Propagate taints to top collections (fix #2064) (#2066) @mmetc

Chore / Deps

• replace log.Fatal -> fmt.Errorf (#2058) @mmetc
• Bump github.com/containerd/containerd from 1.6.12 to 1.6.18 (#2060) @dependabot
• Bump github.com/docker/distribution from 2.7.1+incompatible to 2.8.0+incompatible (#1996) @dependabot
• CAPI error code handling tests (#2027) @rr404
• CI: set GOBIN instead of go install + cp (#2030) @mmetc
• CI: build with go 1.20 (#2031) @mmetc
• test: bats-detect tests for "cscli setup" (#2057) @mmetc
• Cscli config refactoring (#1934) @mmetc
• separate cobra constructors: lapi, machines, bouncers, postoverflows (#1945) @mmetc
• bump docker actions to avoid deprecation warnings (#1966) @mmetc
• ci: remove hub dispatch, (msi) take release version from git history (#1949) @mmetc
• cscli refact: extracted New.*Cmd from alerts, capi, dashboard; removed some globals (#1990) @mmetc
• refact cscli decisions (#2003) @mmetc
• docker: replace BUILD_ENV with --target (#1995) @mmetc
• break in smaller functions cscli hub, hubtest, notifications, parsers, scenarios, simulation (#2004) @mmetc
• Store go module name in var in Makefile (#1989) @junnhy5
• remove SYSTEM=docker during build, update dockerignore (#2017) @mmetc
• use helpers for shorter tests, add a couple of error cases (#2016) @mmetc
• CI: update github actions and deprecated commands (#2023) @mmetc
• CI: bump more actions (#2028) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.5.0-rc3

New Features

• Polling API Integration (behind feature flag) (#1715) @buixor
• Kubernetes audit acquisition (#1767) @blotus
• Crowdsec CTI API helpers (#1851) @buixor
• Alert context (#1895) @AlteredCoder
• cscli setup subcommand (behind feature flag) (#1923) @mmetc
• Feature flags support (#1933) @mmetc
• Conditional buckets (#1962) @blotus
• Allow parsers to capture data for future enrichment (#1969) @buixor
• S3 acquisition datasource (#2130) @blotus
• support IP and CIDR based whitelists for CAPI and 3rd party blocklists (#2132) @buixor

Improvements

• Stream decisions from db (behind feature flag) (#1927) @blotus
• CI: functional docker tests (#2056) @mmetc
• Show s00 stats instead of "first_parser" (#2055) @LaurenceJJones
• optimize blocklist fetch (#2039) @nitescuc
• optimization - remove useless login call (#2036) @nitescuc
• Add IsIPV4() and IsIP() helpers (#2050) @blotus
• Add more strings helpers (#2040) @buixor
• Improve warnings around lack of evt.StrTime field (#1954) @buixor
• Add unix expr helper (#1952) @LaurenceJJones
• acquisition: validate datasources before configuration (static checks) (#1841) @mmetc
• CAPI v3 and blocklists links support (#2019) @nitescuc
• Docker: add cri-logs collection by default to support CRI log format (#2005) @he2ss
• add -error flag to crowdsec binary (#1903) @mmetc
• Suggest bouncers and machines to delete (#1896) @sabban
• Add socket support to mysql or mariadb (#1911) @LaurenceJJones
• Add postgres socket support (#1926) @LaurenceJJones
• docker: separate CLIENT_* and LAPI_* variables for tls certificates (#1929) @mmetc
• systemd: same restart options across deb, rpm, wizard (#1948) @mmetc
• Add unix time support to dateparse enricher (#1958) @LaurenceJJones
• retry with backoff requests to CAPI (#1957) @nitescuc
• fix yq behavior with bind-mount config.yaml (#1968) @mmetc
• cscli explain: add crowdsec path option (#1983) @mmetc
• normalize scopes for alerts and decisions (#2001) @buixor
• cscli config feature-flags (#2006) @mmetc
• docker: skip temporary installation of disabled items (#2018) @mmetc
• add dev docker image (based on master) (#2024) @he2ss
• Distance expr helper : Impossible travel (#2108) @buixor
• match expr helper (#2126) @buixor
• add ToString() helper (#2100) @blotus

Bug Fixes

• Do not try to refresh JWT token when doing a login request (#2059) @blotus
• Fix azure pipeline (#2041, #2044, #2046, #2048) @blotus
• clean up BUILD_GOVERSION which is set at runtime with runtime lib (#1901) @sabban
• remove pid_dir from config (#1906) @mmetc
• docker: correctly extract BOUNCER_KEY_* (#1913) @mmetc
• set cscli log timestamp to 24h (#1917) @mmetc
• docker: improve support for persistent configurations (#1915) @mmetc
• apiclient: fix http roundtrip (clone body also) (#1758) @he2ss
• ci: authenticate when looking up release information (#1936) @mmetc
• remove ignored flag "-m" in "cscli machines delete" (#1943) @mmetc
• fix tls communication with lapi and user/pw auth (#1956) @mmetc
• func tests: redirect stderr to filter extra logs (#1961) @mmetc
• fix parser test 2k23 (#1971) @mmetc
• Docker config/auth/TLS refactoring from v1.4.4 (#1967) @mmetc
• fix alert context CI when feature flags are enabled (#1979) @mmetc
• docker: add {VERSION}-slim tag to releases (#1977) @mmetc
• Change yaml patch from info to debug (#1980) @LaurenceJJones
• cscli: avoid initializing the db configuration twice (#1982) @mmetc
• silence yaml.local explicitly in cscli, keep in crowdsec/bouncer logs (#1981) @mmetc
• fix flaky parser unit test (#1985) @mmetc
• Fix docker_start.sh not properly handling env vars (#1993) @ruifung
• Fix reference to ghcr.io (#1999) @benscobie
• agent: fix message when -dsn is provided without -type (#2009) @mmetc
• allow use of literal $ in config.yaml (#2012) @mmetc
• allow literal $ in plugin configuration (#2015) @mmetc
• fix docker support for legacy vars (#2021) @mmetc
• error if tls.key_file or cert_file is missing (#2020)
• fix message "empty scenario" (#2065) @mmetc
• Propagate taints to top collections (fix #2064) (#2066) @mmetc

Chore / Deps

• replace log.Fatal -> fmt.Errorf (#2058) @mmetc
• Bump github.com/containerd/containerd from 1.6.12 to 1.6.18 (#2060) @dependabot
• Bump github.com/docker/distribution from 2.7.1+incompatible to 2.8.0+incompatible (#1996) @dependabot
• CAPI error code handling tests (#2027) @rr404
• CI: set GOBIN instead of go install + cp (#2030) @mmetc
• CI: build with go 1.20 (#2031) @mmetc
• test: bats-detect tests for "cscli setup" (#2057) @mmetc
• Cscli config refactoring (#1934) @mmetc
• separate cobra constructors: lapi, machines, bouncers, postoverflows (#1945) @mmetc
• bump docker actions to avoid deprecation warnings (#1966) @mmetc
• ci: remove hub dispatch, (msi) take release version from git history (#1949) @mmetc
• cscli refact: extracted New.*Cmd from alerts, capi, dashboard; removed some globals (#1990) @mmetc
• refact cscli decisions (#2003) @mmetc
• docker: replace BUILD_ENV with --target (#1995) @mmetc
• break in smaller functions cscli hub, hubtest, notifications, parsers, scenarios, simulation (#2004) @mmetc
• Store go module name in var in Makefile (#1989) @junnhy5
• remove SYSTEM=docker during build, update dockerignore (#2017) @mmetc
• use helpers for shorter tests, add a couple of error cases (#2016) @mmetc
• CI: update github actions and deprecated commands (#2023) @mmetc
• CI: bump more actions (#2028) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.