Logs Not Being Parsed
Hi - I'm running CrowdSec on my CloudPanel VPS (Ubuntu 24.04 LTS) and noticed that none of my logs are being parsed, even though lines are being read. Screenshots are attached for reference.
The CrowdSec engine and firewall bouncer are running fine.
Following is the sample log format in /var/log/auth.log file:
2025-07-18T21:57:39.443985+05:00 MY-SERVER sudo: pam_unix(sudo:session): session opened for user root(uid=0) by USERNAME(uid=XXXX)
I am facing the same issue with all my VPSes. I need your help to resolve my problem. Thanks
18 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
Β© Created By WhyAydan for CrowdSec β€οΈ
2025-07-18T21:57:39.443985+05:00 MY-SERVER sudo: pam_unix(sudo:session): session opened for user root(uid=0) by USERNAME(uid=XXXX)
this is a sudo command to which we do not have a parser for as this is already a user has been authenticated, you have installed ssh parser and nginx parser, so what are you expecting to be parsed?
you also might be interested in https://www.crowdsec.net/blog/monitoring-suspicious-behavior-on-shared-hosting-platforms if you wanted to detect bad usersHi - Thanks for your response. I put this sudo command just for reffering the format of logs which are being stored in /var/log/auth.log.
Please review my screenshots. The logs are not being parsed at all. This is the issue I am facing.
The only logs which would be parsed from
auth.log is sshd / ssh logs so if you run
PFA output against the command you shared.
Yeah sorry my grep didnt account for successful logs.
If you view the log file do you see any failed attempts?
like these maybe:
or
grep "Failed password" /var/log/auth.log
No output
grep "authentication failure" /var/log/auth.log
One failure log and that's me. π
Yes so you get very minimal login attempts hence why there no metrics
interesting, can you DM me the log line?
Ok
Okay I see, sorry this is still not an ssh log line so thats why.
Do you have ssh firewalled or on another port cause it seems nobody is attacking this port π
Plus for nginx, CLP places logs in each user home directory so you should create an entry for these files
Hahaha π
Yes, I changed my default SSH port to some custom one
yeah so you will get minimal threats unless somebody goes to find it, you should configure crowdsec to find CLP nginx logs for each host then you might see an improvement.
Ok. Thank you. Is there any document/guide to cover this as I am not pro in Linux/CrowdSec. π
Add new log sources | CrowdSec
We will be adding a file based acquisition. If you need to use a different source then alter the instructions to match your needs.
but I already put the contents of the file you just need to create it under
/etc/crowdsec/acquis.d/nginx.yamlNoted with thanks. I appreciate your support.