Hey,
I cant parse in crowdsec acquis.yaml the log file /var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/data/nextcloud.log because it is owned by www-data of the docker container?!
I even mounted the nextcloud data at /mnt/ncdata and the log file is available there but still not able to parse it.
I don’t use Crowdsec, only Fail2ban, but I would say that the ownership of the file shouldn’t be an issue, since it’s basically always owned by the webserver user, regardless of whether you are using AIO or some other installation type.
Did you actually install the respective collections/parsers and configure them accordingly?
Maybe the following links are of any help:
https://github.com/nextcloud/all-in-one/discussions/2194
https://app.crowdsec.net/hub/author/crowdsecurity/configurations/nextcloud-logs
https://www.c-rieger.de/nextcloud-installationsanleitung/#c06 (German)
Yes collections and parsers are installed. Still not parsing the nextcloud.log
The acquis.yaml
#Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log
filenames:
- /var/log/auth.log
labels:
type: syslog
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log
filenames:
- /var/log/syslog
- /var/log/kern.log
labels:
type: syslog
---
filenames:
- /var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/data/nextcloud.log
- /mnt/ncdata/nextcloud.log
- /var/log/nextcloud/nextcloud.log
labels:
type: Nextcloud
---
source: journalctl
journalctl_filter:
- "SYSLOG_IDENTIFIER=Nextcloud"
labels:
type: syslog
---
source: docker
container_name:
- nextcloud-aio-nextcloud
labels:
type: syslog
---
cscli metrics where the acquisition is only reading 3 files.
Acquisition Metrics:
╭────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log │ 5 │ - │ 5 │ - │ - │
│ file:/var/log/kern.log │ 80 │ - │ 80 │ - │ - │
│ file:/var/log/syslog │ 265 │ - │ 265 │ - │ - │
╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
Local API Decisions:
╭────────────────────────────────────────────┬────────┬────────┬───────╮
│ Reason │ Origin │ Action │ Count │
├────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/http-probing │ CAPI │ ban │ 7171 │
│ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 160 │
│ crowdsecurity/ssh-bf │ CAPI │ ban │ 8194 │
│ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 2474 │
│ ltsich/http-w00tw00t │ CAPI │ ban │ 4 │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 442 │
│ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 2677 │
│ firehol_cruzit_web_attacks │ lists │ ban │ 13175 │
│ tor-exit-nodes │ lists │ ban │ 1137 │
╰────────────────────────────────────────────┴────────┴────────┴───────╯
Local API Metrics:
╭────────────────────┬────────┬──────╮
│ Route │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/heartbeat │ GET │ 6 │
│ /v1/watchers/login │ POST │ 1 │
╰────────────────────┴────────┴──────╯
Local API Machines Metrics:
╭──────────────────────────────────────────────────┬───────────────┬────────┬──────╮
│ Machine │ Route │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ d529457f0a99f707d70723c26657957f5HTD9830euNCrzo7 │ /v1/heartbeat │ GET │ 6 │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯
Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│ Parsers │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/syslog-logs │ 350 │ 350 │ - │
│ crowdsecurity/syslog-logs │ 350 │ 350 │ - │
╰─────────────────────────────────┴──────┴────────┴──────────╯
The collections, parsers and scenarios
COLLECTIONS
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/base-http-scenarios ✔️ enabled 1.0 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/http-cve ✔️ enabled 2.6 /etc/crowdsec/collections/http-cve.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/nextcloud ✔️ enabled 0.3 /etc/crowdsec/collections/nextcloud.yaml
crowdsecurity/nginx ✔️ enabled 0.2 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/sshd ✔️ enabled 0.3 /etc/crowdsec/collections/sshd.yaml
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
SCENARIOS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache_log4j2_cve-2021-44228 ✔️ enabled 0.6 /etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml
crowdsecurity/CVE-2017-9841 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2017-9841.yaml
crowdsecurity/CVE-2019-18935 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2019-18935.yaml
crowdsecurity/CVE-2022-26134 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-26134.yaml
crowdsecurity/CVE-2022-35914 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-35914.yaml
crowdsecurity/CVE-2022-37042 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-37042.yaml
crowdsecurity/CVE-2022-40684 ✔️ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-40684.yaml
crowdsecurity/CVE-2022-41082 ✔️ enabled 0.4 /etc/crowdsec/scenarios/CVE-2022-41082.yaml
crowdsecurity/CVE-2022-41697 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-41697.yaml
crowdsecurity/CVE-2022-42889 ✔️ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-42889.yaml
crowdsecurity/CVE-2022-44877 ✔️ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-44877.yaml
crowdsecurity/CVE-2022-46169 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-46169.yaml
crowdsecurity/CVE-2023-22515 ✔️ enabled 0.1 /etc/crowdsec/scenarios/CVE-2023-22515.yaml
crowdsecurity/CVE-2023-22518 ✔️ enabled 0.2 /etc/crowdsec/scenarios/CVE-2023-22518.yaml
crowdsecurity/CVE-2023-49103 ✔️ enabled 0.3 /etc/crowdsec/scenarios/CVE-2023-49103.yaml
crowdsecurity/f5-big-ip-cve-2020-5902 ✔️ enabled 0.2 /etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml
crowdsecurity/fortinet-cve-2018-13379 ✔️ enabled 0.3 /etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml
crowdsecurity/grafana-cve-2021-43798 ✔️ enabled 0.2 /etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml
crowdsecurity/http-admin-interface-probing ✔️ enabled 0.4 /etc/crowdsec/scenarios/http-admin-interface-probing.yaml
crowdsecurity/http-backdoors-attempts ✔️ enabled 0.6 /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
crowdsecurity/http-bad-user-agent ✔️ enabled 1.2 /etc/crowdsec/scenarios/http-bad-user-agent.yaml
crowdsecurity/http-crawl-non_statics ✔️ enabled 0.7 /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
crowdsecurity/http-cve-2021-41773 ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-cve-2021-41773.yaml
crowdsecurity/http-cve-2021-42013 ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-cve-2021-42013.yaml
crowdsecurity/http-cve-probing ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-cve-probing.yaml
crowdsecurity/http-generic-bf ✔️ enabled 0.6 /etc/crowdsec/scenarios/http-generic-bf.yaml
crowdsecurity/http-open-proxy ✔️ enabled 0.5 /etc/crowdsec/scenarios/http-open-proxy.yaml
crowdsecurity/http-path-traversal-probing ✔️ enabled 0.4 /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
crowdsecurity/http-probing ✔️ enabled 0.4 /etc/crowdsec/scenarios/http-probing.yaml
crowdsecurity/http-sensitive-files ✔️ enabled 0.4 /etc/crowdsec/scenarios/http-sensitive-files.yaml
crowdsecurity/http-sqli-probing ✔️ enabled 0.4 /etc/crowdsec/scenarios/http-sqli-probing.yaml
crowdsecurity/http-wordpress-scan ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-wordpress-scan.yaml
crowdsecurity/http-xss-probing ✔️ enabled 0.4 /etc/crowdsec/scenarios/http-xss-probing.yaml
crowdsecurity/jira_cve-2021-26086 ✔️ enabled 0.3 /etc/crowdsec/scenarios/jira_cve-2021-26086.yaml
crowdsecurity/netgear_rce ✔️ enabled 0.3 /etc/crowdsec/scenarios/netgear_rce.yaml
crowdsecurity/nextcloud-bf ✔️ enabled 0.3 /etc/crowdsec/scenarios/nextcloud-bf.yaml
crowdsecurity/nginx-req-limit-exceeded ✔️ enabled 0.3 /etc/crowdsec/scenarios/nginx-req-limit-exceeded.yaml
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 ✔️ enabled 0.3 /etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.y
aml
crowdsecurity/spring4shell_cve-2022-22965 ✔️ enabled 0.3 /etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml
crowdsecurity/ssh-bf ✔️ enabled 0.3 /etc/crowdsec/scenarios/ssh-bf.yaml
crowdsecurity/ssh-slow-bf ✔️ enabled 0.4 /etc/crowdsec/scenarios/ssh-slow-bf.yaml
crowdsecurity/thinkphp-cve-2018-20062 ✔️ enabled 0.6 /etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml
crowdsecurity/vmware-cve-2022-22954 ✔️ enabled 0.3 /etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml
crowdsecurity/vmware-vcenter-vmsa-2021-0027 ✔️ enabled 0.2 /etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml
ltsich/http-w00tw00t ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-w00tw00t.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PARSERS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2-logs ✔️ enabled 1.4 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich ✔️ enabled 0.3 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/http-logs ✔️ enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/nextcloud-logs ✔️ enabled 0.3 /etc/crowdsec/parsers/s01-parse/nextcloud-logs.yaml
crowdsecurity/nextcloud-whitelist ✔️ enabled 0.7 /etc/crowdsec/parsers/s02-enrich/nextcloud-whitelist.yaml
crowdsecurity/nginx-logs ✔️ enabled 1.5 /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
crowdsecurity/sshd-logs ✔️ enabled 2.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists 🏠 enabled,local /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────