C
CrowdSec3mo ago
PopeRigby

Caddy not showing up in acquisition metrics

I have the following acquisition for Caddy: 
filenames:
- /var/log/caddy-crowdsec/*.log
labels:
  type: caddy
filenames:
- /var/log/caddy-crowdsec/*.log
labels:
  type: caddy
I've mounted the logs at this location because I can't change the permissions of the original directory. My problem is that it doesn't show up in the acquisition metrics. When I run... 
sudo tail -n 10 /var/log/caddy-crowdsec/access-auth.haddock.cc.log | cs explain -f- --type caddy -v
sudo tail -n 10 /var/log/caddy-crowdsec/access-auth.haddock.cc.log | cs explain -f- --type caddy -v
...it gives me this output: https://gist.github.com/poperigby/fcf207a3ce03d51f3777b800358878bc
Gist
gist:fcf207a3ce03d51f3777b800358878bc
GitHub Gist: instantly share code, notes, and snippets.
7 Replies
CrowdSec
CrowdSec3mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
PopeRigby
PopeRigbyOP3mo ago
Here are my acqusition metrics: 
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                                                      │
├────────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                                                         │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ :                                                              │ -          │ -            │ -              │ -                      │ 74                │
│ file:/var/log/audit/audit.log                                  │ 2.05M      │ 1.98M        │ 79.16k         │ 351.17k                │ -                 │
│ journalctl:journalctl-%s_SYSTEMD_UNIT=authelia-haddock.service │ 510        │ 510          │ -              │ -                      │ -                 │
│ journalctl:journalctl-%s_SYSTEMD_UNIT=immich-server.service    │ 2          │ -            │ 2              │ -                      │ -                 │
│ journalctl:journalctl-%s_SYSTEMD_UNIT=sshd.service             │ 1.14k      │ 935          │ 206            │ 2.06k                  │ -                 │
╰────────────────────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                                                      │
├────────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                                                         │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ :                                                              │ -          │ -            │ -              │ -                      │ 74                │
│ file:/var/log/audit/audit.log                                  │ 2.05M      │ 1.98M        │ 79.16k         │ 351.17k                │ -                 │
│ journalctl:journalctl-%s_SYSTEMD_UNIT=authelia-haddock.service │ 510        │ 510          │ -              │ -                      │ -                 │
│ journalctl:journalctl-%s_SYSTEMD_UNIT=immich-server.service    │ 2          │ -            │ 2              │ -                      │ -                 │
│ journalctl:journalctl-%s_SYSTEMD_UNIT=sshd.service             │ 1.14k      │ 935          │ 206            │ 2.06k                  │ -                 │
╰────────────────────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
PopeRigby
PopeRigbyOP3mo ago
Here's my log: https://gist.github.com/poperigby/2a9342b5c6a2ffe1f1cf6bb966fa5621
Gist
gist:2a9342b5c6a2ffe1f1cf6bb966fa5621
GitHub Gist: instantly share code, notes, and snippets.
iiamloz
iiamloz3mo ago
Can you add to the acquisition file this property 
poll_without_inotify: true
poll_without_inotify: true
and see if that makes it show when a new log comes in
PopeRigby
PopeRigbyOP3mo ago
Yeah that makes them show up Why do you think it's the case that they only show up with that? Because if this is a bug I'd like to report it
iiamloz
iiamloz3mo ago
its not a bug, most likely you are using some sort of NFS share or volume mount and because the default file datasource uses inotify, inotify does not work in NFS environments so enabling the option informs the datasource to manually poll the file instead.
PopeRigby
PopeRigbyOP3mo ago
Ohhhhh, I'm using a FUSE BindFS to allow CrowdSec to have permissions to access it. Hopefully I can make inotify work on that somehow.

Did you find this page helpful?