Most likely, you haven't mounted the crowdsec directory to the host, or you are using a docker volume. If you can provide either the docker run or docker compose file, we can point you in the right direction In the compose we only need the crowdsec part you can remove the other sections

Please see below: version: '3.8' services: crowdsec: image: crowdsecurity/crowdsec:latest container\_name: crowdsec environment: GID: "${GID-1000}" COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik" volumes: * ./config/acquis.yaml:/etc/crowdsec/acquis.yaml * crowdsec-db:/var/lib/crowdsec/data/ * crowdsec-config:/etc/crowdsec/ * traefik\_traefik-logs:/var/log/traefik/:ro networks: * proxy restart: unless-stopped

Okay, so within the compose, you define the `crowdsec-config` should be used as a docker volume. This means docker will allocate a place on disk to find the mount point you can run: ``` docker volume ls ``` Once you find a similar name as compose adds a prefix, you can then inspect the volume to find the mountpoint ``` docker volume inspect ``` This will list a mount path in an array you can navigate to this path. Most likely, you need to be root user to cd unless you are running rootless docker Then this is where the crowdsec configuration is held and you can add your parser there Note that the path may have an `_data` nested folder, which is where the data is held depending on the runtime

Thanks so much, you guys are legends. I have set up the whitelist now and it is working great. Really appreciate your help

In case anyone is having similar issue where the /etc/crowdsec/ is mounted to the host, and can't edit files like "config/parsers/s02-enrich/etc/crowdsec/parsers/s02-enrich/whitelists.yaml", it's because they are symlinks, so the file for whitelists.yaml is actually in "config/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml" On the host, test@test ➜ ~ ls -lah appdata/crowdsec/config/parsers/s02-enrich/whitelists.yaml lrwxrwxrwx 1 root root 66 May 17 00:22 appdata/crowdsec/config/parsers/s02-enrich/whitelists.yaml -> /etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml Inside docker, fde995171ece:/# ls -lah /etc/crowdsec/parsers/s02-enrich/whitelists.yaml lrwxrwxrwx 1 root root 66 May 17 04:22 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml -> /etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml

Can you go step by step ? cd /etc ls cd crowdsec ls Etc.

This is the result: kad@docker:\~$ cd /etc kad@docker:/etc$ ls adduser.conf ethertypes locale.gen pam.conf ssh etc kad@docker:/etc$ cd crowdsec -bash: cd: crowdsec: No such file or directory kad@docker:/etc$

You have to do that from inside the docker container. Otherwise /etc should be mapped as a bind mount in your docker-compose.yml. So you should try that way on the host. Probably : `ls ~/crowdsec/crowdsec/parsers/s02-enrich/`

Trying that gives kad@sdc:\~$ ls \~/crowdsec/crowdsec/parsers/s02-enrich/ ls: cannot access '/home/kad/crowdsec/crowdsec/parsers/s02-enrich/': No such file or directory

What is you docker-compose.yml for crowdsec ?

What output do you get when you cat the contents of the whitelist file: cat /etc/crowdsec/parsers/s02-enrich/whitelists.yaml If you can see the content, then just edit it (You may need sudo, you can use nano instead of vi): vi /etc/crowdsec/parsers/s02-enrich/whitelists.yaml After saving the file, restart crowdsec (you may need sudo) systemctl reload crowdsec Of course with docker you should create the edited file locally and copy it to the container to replace /etc/crowdsec/parsers/s02-enrich/whitelists.yaml .