Acquisition error : dead reader

Aukfood · January 2, 2024, 2:29pm

Hello,
happy 2024 new year to all.

I have some fatal errors on boot with crowdsec : level=fatal msg="starting acquisition error : dead reader for

My acquis.yaml

filenames:
  - /var/www/*/var/log/apache2/access.*
  - /var/www/*/var/log/apache2/error.*
labels:
  type: apache2
---

Complete log :

time=“02-01-2024 15:17:57” level=fatal msg=“starting acquisition error : dead reader for /var/www/website/var/log/apache2/access.2022.09.20”
time=“02-01-2024 15:19:00” level=fatal msg=“starting acquisition error : dead reader for /var/www/website/var/log/apache2/access.2022.09.17”
time=“02-01-2024 15:20:04” level=fatal msg=“starting acquisition error : dead reader for /var/www/website/var/log/apache2/access.2022.09.21”

All works for a time but for somes weeks I have this fatal error.

Reference in Apache2 rotatelogs in acquisition

Thanks for you’re help

Aukfood · January 10, 2024, 6:49am

Hello, does someone have on idea ? I have same results in another server.

Does my acquisition apache logs is wrong ?

---
filenames:
  - /var/www/*/var/log/apache2/access*
  - /var/www/*/var/log/apache2/error*
labels:
  type: apache2
---

There is a solution to bypass errors and continue to work ?

Regards

iiAmLoz · January 10, 2024, 1:09pm

So dead reader happens in two cases and both are linked to symlinked files:

Symlink is to a /dev/ property EG /dev/stdout, this commonly happen in containers
Symlink file is static, however, the underlying file is rotated and then since the symlink doesnt get changed the reader returns EOF

On dead reader I believe we log the file? does it pinpoint a direct location?

Aukfood · January 10, 2024, 2:15pm

@iiAmLoz yes all file are direct files not symlinks

For exemple :

time="10-01-2024 15:14:02" level=fatal msg="starting acquisition error : dead reader for /var/www/<private>/var/log/apache2/access.2020.12.29"

# ls -la /var/www/www.monsite.fr/var/log/apache2/access.2020.12.29
-rw-r--r-- 1 monsite monsite 3684784 29 déc.   2020 /var/www/<private>/var/log/apache2/access.2020.12.29

iiAmLoz · January 10, 2024, 3:32pm

Its a pretty old file, that hasnt been updated in 4 years (Closer to 3 years really)?

However, I see an area of improvement since we dont log the actual error that comes from the Tail package, so i opened an issue

Aukfood · January 10, 2024, 4:12pm

yes but same problem with more recent file

 crowdsec
time="10-01-2024 17:10:30" level=fatal msg="starting acquisition error : dead reader for /var/www/www.monsite.fr/var/log/apache2/access.2023.12.03"
# ls -la /var/www/www.monsite.fr/var/log/apache2/access.2023.12.03
-rw-r--r-- 1 root monsite 7624458  3 déc.  23:59 /var/www/www.monsite.fr/var/log/apache2/access.2023.12.03

Aukfood · February 1, 2024, 10:45am

@iiAmLoz no idea about that ?

iiAmLoz · February 1, 2024, 10:58am

Can you upgrade to v1.6.0 as we merged a patch to log the reason for the death

If the error is empty then we have very little to go on.

Topic		Replies	Views
Warning in log msg="while configuring datasource : empty filename(s) and journalctl filter, malformed datasource"	1	635	March 18, 2021
Problem config for acquisition crowdsec	4	1438	April 20, 2023
Failed to compile node 'crowdsecurity/syslog-logs'	7	508	September 17, 2021
How to udpate crowdsec?	4	688	December 14, 2020
Journalctl parsers fails (solved) crowdsec	4	845	March 5, 2023

Acquisition error : dead reader

Related Topics