C
CrowdSec3w ago
smileBeda

Need help installing CrowdSec

I have installed crowdsec as per the doc on an Ubuntu 24 machine: curl -s https://install.crowdsec.net | sudo sh 
apt list crowdsec
Listing... Done
crowdsec/any 1.7.3 amd64
N: There are 20 additional versions. Please use the '-a' switch to see them
apt list crowdsec
Listing... Done
crowdsec/any 1.7.3 amd64
N: There are 20 additional versions. Please use the '-a' switch to see them
sudo apt install crowdsec sudo apt install crowdsec-firewall-bouncer-iptables 
sudo cscli metrics show acquisition
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                              │
├────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                 │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log │ 82         │ 54           │ 28             │ 167                    │ -                 │
│ file:/var/log/syslog   │ 14         │ -            │ 14             │ -                      │ -                 │
╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
sudo cscli metrics show acquisition
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                              │
├────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                 │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log │ 82         │ 54           │ 28             │ 167                    │ -                 │
│ file:/var/log/syslog   │ 14         │ -            │ 14             │ -                      │ -                 │
╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
(rest in comment, too long~!)
3 Replies
CrowdSec
CrowdSec3w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
smileBeda
smileBedaOP3w ago
Then, as I run CADDY, in DOCKER, I added: cscli collections install crowdsecurity/caddy sudo systemctl reload crowdsec 
sudo cscli collections list -a
crowdsecurity/base-http-scenarios                     ✔️  enabled                    1.2      /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/caddy                                   ✔️  enabled                    0.1      /etc/crowdsec/collections/caddy.yaml             ...    
 crowdsecurity/http-cve                                ✔️  enabled                    2.9      /etc/crowdsec/collections/http-cve.yaml              
 crowdsecurity/linux                                   ✔️  enabled                    0.3      /etc/crowdsec/collections/linux.yaml                 ...
 crowdsecurity/sshd                                    ✔️  enabled                    0.7      /etc/crowdsec/collections/sshd.yaml                  ...
 crowdsecurity/whitelist-good-actors                   ✔️  enabled                    0.2      /etc/crowdsec/collections/whitelist-good-actors.yaml 
sudo cscli collections list -a
crowdsecurity/base-http-scenarios                     ✔️  enabled                    1.2      /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/caddy                                   ✔️  enabled                    0.1      /etc/crowdsec/collections/caddy.yaml             ...    
 crowdsecurity/http-cve                                ✔️  enabled                    2.9      /etc/crowdsec/collections/http-cve.yaml              
 crowdsecurity/linux                                   ✔️  enabled                    0.3      /etc/crowdsec/collections/linux.yaml                 ...
 crowdsecurity/sshd                                    ✔️  enabled                    0.7      /etc/crowdsec/collections/sshd.yaml                  ...
 crowdsecurity/whitelist-good-actors                   ✔️  enabled                    0.2      /etc/crowdsec/collections/whitelist-good-actors.yaml
And then: 
sudo cscli metrics show acquisition
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                              │
├────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                 │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log │ 2          │ -            │ 2              │ -                      │ -                 │
╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
sudo cscli metrics show acquisition
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                              │
├────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                 │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log │ 2          │ -            │ 2              │ -                      │ -                 │
╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
in other words.. I am confused: - it not only does not see the caddy logs, - it also removed the previously seen syslog - the DOC says I should create a /etc/crowdsec/acquis.d/NAME.yaml file with contents like: 
filenames:
  - /opt/caddy/var/log/*.log
labels:
  type: caddy
filenames:
  - /opt/caddy/var/log/*.log
labels:
  type: caddy
(I saw that only by accident in some doc thanks to GPT) I did that. Note, yes my logs of caddy, even if a docker image, are on the host, and they are readable by root of course. I then deleted the caddy.yaml, then sudo systemctl reload crowdsec and cscli metrics show acquisition... and 
 Acquisition Metrics                                                                                                         │
├───────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                            │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/opt/caddy/var/log/caddy.log │ 384        │ 384          │ -              │ 56                     │ 273               │
│ file:/var/log/auth.log            │ 202        │ 105          │ 97             │ 309                    │ -                 │
│ file:/var/log/syslog              │ 11         │ -            │ 11             │ -                      │ -                 │
 Acquisition Metrics                                                                                                         │
├───────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                            │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/opt/caddy/var/log/caddy.log │ 384        │ 384          │ -              │ 56                     │ 273               │
│ file:/var/log/auth.log            │ 202        │ 105          │ 97             │ 309                    │ -                 │
│ file:/var/log/syslog              │ 11         │ -            │ 11             │ -                      │ -                 │
So, I am totally lost. Why is the aquisition appearing, when I delete the file, and disappearing when I add it?! I think it’s solved It needed some patience - the bucket is filling up!
CrowdSec
CrowdSec3w ago
Resolving Need help installing CrowdSec This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?