I’m getting conflicting feedback on whether or not it’s working.
The primary log file ‘/var/log/crowdsec.log’ has the following entry, using the parser above -
time=“04-11-2020 18:06:01” level=debug msg="+ Processing 2 statics" func=“github.com/crowdsecurity/crowdsec/pkg/parser.(*Node).process” file="/home/runner/work/crowdsec/crowdsec/pkg/parser/node.go:313" id=long-lake name=crowdsecurity/non-syslog stage=s00-raw
time=“04-11-2020 18:06:01” level=debug msg=".Parsed[message] = ‘{ “timestamp”: “2020-11-04T18:06:01+11:00”, “remote_addr”: “54.162.224.1”, “connection”: “50343”, “connection_requests”: 1, “pipe”: “.”, “body_bytes_sent”: 161205, “request_length”: 325, “request_time”: 0.228, “response_status”: 200, “request”: “GET /media/catalog/product/b/e/bella_rosa.jpg HTTP/1.1”, “request_method”: “GET”, “host”: “redacted.domain.co”, “upstream_cache_status”: “”, “upstream_addr”: “”, “http_x_forwarded_for”: “”, “http_referrer”: “”, “http_user_agent”: “Ruby”, “http_version”: “HTTP/1.1”, “remote_user”: “”, “http_x_forwarded_proto”: “”, “upstream_response_time”: “”, “nginx_access”: true }’" func=github.com/crowdsecurity/crowdsec/pkg/parser.ProcessStatics file="/home/runner/work/crowdsec/crowdsec/pkg/parser/runtime.go:175" id=long-lake name=crowdsecurity/non-syslog stage=s00-raw
Yes the metrics command doesn’t show any lines parsed? -
sudo cscli metrics
INFO[0000] Buckets Metrics:
±-------±--------------±----------±-------------±-------±--------+
| BUCKET | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
±-------±--------------±----------±-------------±-------±--------+
±-------±--------------±----------±-------------±-------±--------+
INFO[0000] Acquisition Metrics:
±----------------------------------------------------------±-----------±-------------±---------------±-----------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
±----------------------------------------------------------±-----------±-------------±---------------±-----------------------+
| /var/log/auth.log | 24 | - | 24 | - |
| /var/log/nginx/ssl-obfuscated.domain.co.access.log | 132 | - | 132 | - |
| /var/log/syslog | 11 | - | 11 | - |
±----------------------------------------------------------±-----------±-------------±---------------±-----------------------+
INFO[0000] Parser Metrics:
±------------------------------±-----±-------±---------+
| PARSERS | HITS | PARSED | UNPARSED |
±------------------------------±-----±-------±---------+
| child-crowdsecurity/sshd-logs | 10 | - | 10 |
| crowdsecurity/non-syslog | 132 | 132 | - |
| crowdsecurity/sshd-logs | 2 | - | 2 |
| crowdsecurity/syslog-logs | 35 | 35 | - |
±------------------------------±-----±-------±---------+