[auditd] Postoverflow whitelist blank source and type in metrics

[LaurenceJJones]

I need to investigate why the crowdsecurity/auditd whitelist causes a : data source being shown:

│ crowdsecurity/auditd-whitelisted-process │ package managers            │ 251    │ 5           │

then in datasource I see

╭────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source                         │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ :                              │ -          │ -            │ -              │ -                      │ 5                 │

[github-actions]

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions]

@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

• /kind feature
• /kind enhancement
• /kind refactoring
• /kind bug
• /kind packaging

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

debug:

cs_node_hits_total{name="crowdsecurity/auditd-whitelisted-process",source="",type=""} 252
cs_node_hits_total{name="crowdsecurity/whitelists",source="/var/log/audit/audit.log",type="file"} 420894
cs_node_hits_total{name="crowdsecurity/whitelists",source="/var/log/auth.log",type="file"} 1151
cs_node_hits_total{name="crowdsecurity/whitelists",source="/var/log/kern.log",type="file"} 1151
cs_node_hits_total{name="crowdsecurity/whitelists",source="/var/log/mail.log",type="file"} 3264
cs_node_hits_total{name="crowdsecurity/whitelists",source="/var/log/nginx/access.log",type="file"} 75645
cs_node_hits_total{name="crowdsecurity/whitelists",source="/var/log/nginx/error.log",type="file"} 1913
cs_node_hits_total{name="crowdsecurity/whitelists",source="appsec",type="appsec"} 5
cs_node_hits_total{name="crowdsecurity/whitelists",source="endlessh",type="docker"} 9250
cs_node_wl_hits_ok_total{name="crowdsecurity/auditd-whitelisted-process",reason="package managers",source="",type=""} 5
cs_node_wl_hits_ok_total{name="my/whitelists",reason="personal ip/ranges",source="/var/log/mail.log",type="file"} 2954
cs_node_wl_hits_ok_total{name="my/whitelists",reason="personal ip/ranges",source="/var/log/nginx/access.log",type="file"} 68055
cs_node_wl_hits_ok_total{name="my/whitelists",reason="personal ip/ranges",source="/var/log/nginx/error.log",type="file"} 38

type and source are both blank for cs_node_hits_total and cs_node_wl_hits_ok_total

crowdsec/pkg/parser/whitelist.go

Line 81 in bfed861

NodesWlHits.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name, "reason": n.Whitelist.Reason}).Inc()

p.Line must be empty upon changing to an overflow alert? or is specific the pid based detections.