/etc/crowdsec/acquis.yaml defines which files are read by crowdsec at runtime.
The file is a list of object representing groups of files to read, with the following properties.
A least one of :
- filename: a string representing the path to a file (globbing supported)
- filenames: a list of string represent paths to files (globbing supported)
- journalctl_filter: a list of string passed as arguments to
labels object with a field
type indicating the log's type :
filenames: - /var/log/nginx/access-*.log - /var/log/nginx/error.log labels: type: nginx --- filenames: - /var/log/auth.log labels: type: syslog --- journalctl_filter: - "_SYSTEMD_UNIT=ssh.service" labels: type: syslog
labels.type is important as it is what will determine which parser will try to process the logs.
The log won't be processed by the syslog parser if its type is not syslog :
$ cat /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml filter: "evt.Line.Labels.type == 'syslog'" ...
On the other hand, nginx tends to write its own logs without using syslog :
$ cat /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml filter: "evt.Parsed.program startsWith 'nginx'" ...
If for example your nginx was logging via syslog, you need to set its
syslog so that it's first parsed by the syslog parser, and then by the nginx parser (notice they are in different stages).