Closed yye347 closed 1 year ago
@yye347: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
Hi @yye347 , thanks for reporting
As you can see, the logs are created just a second after crowdsec is run (st_birthtime)
# stat -s /var/log/crowdsec/crowdsec.log
st_dev=18446744071679573761 st_ino=25 st_mode=0100600 st_nlink=1 st_uid=0 st_gid=0 st_rdev=18446744073709551615 st_size=5187 st_atime=1680853841 st_mtime=1680853499 st_ctime=1680853499 st_birthtime=1680853187 st_blksize=4096 st_blocks=16 st_flags=0
# stat -s /var/log/filter/latest.log
st_dev=18446744071679573761 st_ino=38 st_mode=0120750 st_nlink=1 st_uid=0 st_gid=0 st_rdev=18446744073709551615 st_size=35 st_atime=1680853644 st_mtime=1680853188 st_ctime=1680853188 st_birthtime=1680853188 st_blksize=4096 st_blocks=0 st_flags=0
For this case, there is an option I must add add in /usr/local/etc/crowdsec/acquis.d/opnsense.yaml
[...]
# collection: crowdsecurity/sshd
- /var/log/audit/latest.log
# collection: crowdsecurity/opnsense-gui (web admin)
- /var/log/lighttpd/latest.log
# collection: firewallservices/pf
- /var/log/filter/latest.log
force_inotify: true
labels:
type: syslog
Just add force_inotify to your acquisition file and let me know. I'll add it to the 1.0.4 plugin. Even if freebsd has an alternative to inotify, the option covers both cases. Keep in mind the 1.0.3 has just been merged, it includes filter/latest.log so you'll have to remove it on your side. Parsing the same file twice can increase the sensitivity of scenarios.
It works now, thanks!
What happened?
When OPNsense is configured to use a RAM disk for /var/log, Crowdsec is unable to acquire the /var/log/filter/latest.log file upon system reboot. However, nginx logs under /var/log/nginx are working as expected. Manually restarting Crowdsec resolves the issue temporarily.
What did you expect to happen?
Crowdsec should automatically acquire the /var/log/filter/latest.log file after an OPNsense reboot, even when using a RAM disk for /var/log.
How can we reproduce it (as minimally and precisely as possible)?
Anything else we need to know?
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.