C
CrowdSec2mo ago
PintjesBier

Syslog not getting parsed...

Hi all, for some odd reason my syslog (and some others) are not getting parsed... The syslog is passed fine to the container (as I can cat the syslog file and see it being updated. acquis: 
filenames:
  - /var/log/auth.log
  - /var/log/syslog
  - /var/log/kern.log
labels:
  type: syslog
filenames:
  - /var/log/auth.log
  - /var/log/syslog
  - /var/log/kern.log
labels:
  type: syslog
Metrics: 
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                        │
├──────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                           │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ docker:baikal                    │ 155        │ -            │ 155            │ -                      │ -                 │
│ file:/authelia_logs/authelia.log │ 26         │ 26           │ -              │ -                      │ -                 │
╰──────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                        │
├──────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                           │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ docker:baikal                    │ 155        │ -            │ 155            │ -                      │ -                 │
│ file:/authelia_logs/authelia.log │ 26         │ 26           │ -              │ -                      │ -                 │
╰──────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭─🎯 ubuntu on docker in ~                                                                                                           3s993ms
╰─❯ docker exec -it crowdsec ls -l /var/log/syslog
-rw-r-----    1 104      adm       54096406 May 22 05:10 /var/log/syslog
╭─🎯 ubuntu on docker in ~                                                                                                           3s993ms
╰─❯ docker exec -it crowdsec ls -l /var/log/syslog
-rw-r-----    1 104      adm       54096406 May 22 05:10 /var/log/syslog
8 Replies
CrowdSec
CrowdSec2mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus2mo ago
Having unparsed logs is normal, crowdsec only looks for patterns that is useful to it (for example, in auth logs, it would be auth failure). Can you run cscli collections list and cscli parsers list to see if the proper collections/parsers are installed ?
PintjesBier
PintjesBierOP2mo ago
So it doesn't even list unparsed lines in the metrics? Linux collection & crowdsecurity/syslog-logs is present
blotus
blotus2mo ago
ah i misread your metrics For the metrics to appear in cscli metrics, crowdsec must have read at least one line from the file If you have nothing, it means nothing was read
PintjesBier
PintjesBierOP2mo ago
Yeah that's what I thought... It's not reading any lines... Or am I mistaking and is everything working correctly?
_KaszpiR_
_KaszpiR_2mo ago
Remember to reload the service And try sudo with bad password, it should pick auth.log within seconds
PintjesBier
PintjesBierOP2mo ago
Okay, seems like rsyslog was uninstalled for some odd reason.... Solved now. Thanks!
CrowdSec
CrowdSec2mo ago
Resolving Syslog not getting parsed... This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?