Hey,
I cant parse in crowdsec acquis.yaml the log file /var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/data/nextcloud.log because it is owned by www-data of the docker container?!
I even mounted the nextcloud data at /mnt/ncdata and the log file is available there but still not able to parse it.
I donโt use Crowdsec, only Fail2ban, but I would say that the ownership of the file shouldnโt be an issue, since itโs basically always owned by the webserver user, regardless of whether you are using AIO or some other installation type.
Did you actually install the respective collections/parsers and configure them accordingly?
Maybe the following links are of any help:
https://github.com/nextcloud/all-in-one/discussions/2194
https://app.crowdsec.net/hub/author/crowdsecurity/configurations/nextcloud-logs
https://www.c-rieger.de/nextcloud-installationsanleitung/#c06 (German)
Yes collections and parsers are installed. Still not parsing the nextcloud.log
The acquis.yaml
#Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log
filenames:
- /var/log/auth.log
labels:
type: syslog
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log
filenames:
- /var/log/syslog
- /var/log/kern.log
labels:
type: syslog
---
filenames:
- /var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/data/nextcloud.log
- /mnt/ncdata/nextcloud.log
- /var/log/nextcloud/nextcloud.log
labels:
type: Nextcloud
---
source: journalctl
journalctl_filter:
- "SYSLOG_IDENTIFIER=Nextcloud"
labels:
type: syslog
---
source: docker
container_name:
- nextcloud-aio-nextcloud
labels:
type: syslog
---
cscli metrics where the acquisition is only reading 3 files.
Acquisition Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฎ
โ Source โ Lines read โ Lines parsed โ Lines unparsed โ Lines poured to bucket โ Lines whitelisted โ
โโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ file:/var/log/auth.log โ 5 โ - โ 5 โ - โ - โ
โ file:/var/log/kern.log โ 80 โ - โ 80 โ - โ - โ
โ file:/var/log/syslog โ 265 โ - โ 265 โ - โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโฏ
Local API Decisions:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโฎ
โ Reason โ Origin โ Action โ Count โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโผโโโโโโโโค
โ crowdsecurity/http-probing โ CAPI โ ban โ 7171 โ
โ crowdsecurity/http-sensitive-files โ CAPI โ ban โ 160 โ
โ crowdsecurity/ssh-bf โ CAPI โ ban โ 8194 โ
โ crowdsecurity/ssh-slow-bf โ CAPI โ ban โ 2474 โ
โ ltsich/http-w00tw00t โ CAPI โ ban โ 4 โ
โ crowdsecurity/apache_log4j2_cve-2021-44228 โ CAPI โ ban โ 442 โ
โ crowdsecurity/http-crawl-non_statics โ CAPI โ ban โ 2677 โ
โ firehol_cruzit_web_attacks โ lists โ ban โ 13175 โ
โ tor-exit-nodes โ lists โ ban โ 1137 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโดโโโโโโโโฏ
Local API Metrics:
โญโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโฎ
โ Route โ Method โ Hits โ
โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโค
โ /v1/heartbeat โ GET โ 6 โ
โ /v1/watchers/login โ POST โ 1 โ
โฐโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโฏ
Local API Machines Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโฎ
โ Machine โ Route โ Method โ Hits โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโค
โ d529457f0a99f707d70723c26657957f5HTD9830euNCrzo7 โ /v1/heartbeat โ GET โ 6 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโฏ
Parser Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโฎ
โ Parsers โ Hits โ Parsed โ Unparsed โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโผโโโโโโโโโโโค
โ child-crowdsecurity/syslog-logs โ 350 โ 350 โ - โ
โ crowdsecurity/syslog-logs โ 350 โ 350 โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโดโโโโโโโโโโโฏ
The collections, parsers and scenarios
COLLECTIONS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Name ๐ฆ Status Version Local Path
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
crowdsecurity/base-http-scenarios โ๏ธ enabled 1.0 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/http-cve โ๏ธ enabled 2.6 /etc/crowdsec/collections/http-cve.yaml
crowdsecurity/linux โ๏ธ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/nextcloud โ๏ธ enabled 0.3 /etc/crowdsec/collections/nextcloud.yaml
crowdsecurity/nginx โ๏ธ enabled 0.2 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/sshd โ๏ธ enabled 0.3 /etc/crowdsec/collections/sshd.yaml
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SCENARIOS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Name ๐ฆ Status Version Local Path
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
crowdsecurity/apache_log4j2_cve-2021-44228 โ๏ธ enabled 0.6 /etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml
crowdsecurity/CVE-2017-9841 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2017-9841.yaml
crowdsecurity/CVE-2019-18935 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2019-18935.yaml
crowdsecurity/CVE-2022-26134 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-26134.yaml
crowdsecurity/CVE-2022-35914 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-35914.yaml
crowdsecurity/CVE-2022-37042 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-37042.yaml
crowdsecurity/CVE-2022-40684 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-40684.yaml
crowdsecurity/CVE-2022-41082 โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/CVE-2022-41082.yaml
crowdsecurity/CVE-2022-41697 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-41697.yaml
crowdsecurity/CVE-2022-42889 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-42889.yaml
crowdsecurity/CVE-2022-44877 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-44877.yaml
crowdsecurity/CVE-2022-46169 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-46169.yaml
crowdsecurity/CVE-2023-22515 โ๏ธ enabled 0.1 /etc/crowdsec/scenarios/CVE-2023-22515.yaml
crowdsecurity/CVE-2023-22518 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/CVE-2023-22518.yaml
crowdsecurity/CVE-2023-49103 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/CVE-2023-49103.yaml
crowdsecurity/f5-big-ip-cve-2020-5902 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml
crowdsecurity/fortinet-cve-2018-13379 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml
crowdsecurity/grafana-cve-2021-43798 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml
crowdsecurity/http-admin-interface-probing โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/http-admin-interface-probing.yaml
crowdsecurity/http-backdoors-attempts โ๏ธ enabled 0.6 /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
crowdsecurity/http-bad-user-agent โ๏ธ enabled 1.2 /etc/crowdsec/scenarios/http-bad-user-agent.yaml
crowdsecurity/http-crawl-non_statics โ๏ธ enabled 0.7 /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
crowdsecurity/http-cve-2021-41773 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/http-cve-2021-41773.yaml
crowdsecurity/http-cve-2021-42013 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/http-cve-2021-42013.yaml
crowdsecurity/http-cve-probing โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/http-cve-probing.yaml
crowdsecurity/http-generic-bf โ๏ธ enabled 0.6 /etc/crowdsec/scenarios/http-generic-bf.yaml
crowdsecurity/http-open-proxy โ๏ธ enabled 0.5 /etc/crowdsec/scenarios/http-open-proxy.yaml
crowdsecurity/http-path-traversal-probing โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
crowdsecurity/http-probing โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/http-probing.yaml
crowdsecurity/http-sensitive-files โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/http-sensitive-files.yaml
crowdsecurity/http-sqli-probing โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/http-sqli-probing.yaml
crowdsecurity/http-wordpress-scan โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/http-wordpress-scan.yaml
crowdsecurity/http-xss-probing โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/http-xss-probing.yaml
crowdsecurity/jira_cve-2021-26086 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/jira_cve-2021-26086.yaml
crowdsecurity/netgear_rce โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/netgear_rce.yaml
crowdsecurity/nextcloud-bf โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/nextcloud-bf.yaml
crowdsecurity/nginx-req-limit-exceeded โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/nginx-req-limit-exceeded.yaml
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.y
aml
crowdsecurity/spring4shell_cve-2022-22965 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml
crowdsecurity/ssh-bf โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/ssh-bf.yaml
crowdsecurity/ssh-slow-bf โ๏ธ enabled 0.4 /etc/crowdsec/scenarios/ssh-slow-bf.yaml
crowdsecurity/thinkphp-cve-2018-20062 โ๏ธ enabled 0.6 /etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml
crowdsecurity/vmware-cve-2022-22954 โ๏ธ enabled 0.3 /etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml
crowdsecurity/vmware-vcenter-vmsa-2021-0027 โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml
ltsich/http-w00tw00t โ๏ธ enabled 0.2 /etc/crowdsec/scenarios/http-w00tw00t.yaml
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PARSERS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Name ๐ฆ Status Version Local Path
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
crowdsecurity/apache2-logs โ๏ธ enabled 1.4 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml
crowdsecurity/dateparse-enrich โ๏ธ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/geoip-enrich โ๏ธ enabled 0.3 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/http-logs โ๏ธ enabled 1.2 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml
crowdsecurity/nextcloud-logs โ๏ธ enabled 0.3 /etc/crowdsec/parsers/s01-parse/nextcloud-logs.yaml
crowdsecurity/nextcloud-whitelist โ๏ธ enabled 0.7 /etc/crowdsec/parsers/s02-enrich/nextcloud-whitelist.yaml
crowdsecurity/nginx-logs โ๏ธ enabled 1.5 /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
crowdsecurity/sshd-logs โ๏ธ enabled 2.3 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/syslog-logs โ๏ธ enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/whitelists ๐ enabled,local /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ