fix(crowdsec): Use file-based acquisition instead of command source

CrowdSec on OpenWrt doesn't support "source: command" acquisition. Changed to file-based acquisition reading /var/log/messages. Also configures busybox syslog to write to file automatically. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-13 09:37:18 +01:00 · 2026-01-13 09:37:18 +01:00 · 12728da193
commit 12728da193
parent 3b84c8a047
1 changed files with 14 additions and 6 deletions
--- a/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard
+++ b/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard
@ -1394,15 +1394,23 @@ configure_acquisition() {
 	rm -f "$acquis_dir/openwrt-dropbear.yaml" 2>/dev/null

 	# Create unified syslog acquisition if any syslog-based source is enabled
-	# SSH, firewall, and system logs all go through OpenWrt's logread
+	# SSH, firewall, and system logs all go through /var/log/messages
+	# NOTE: CrowdSec doesn't support "source: command" - must use file-based acquisition
 	if [ "$syslog_enabled" = "1" ] || [ "$firewall_enabled" = "1" ] || [ "$ssh_enabled" = "1" ]; then
+		# Ensure busybox syslog writes to file (required for CrowdSec)
+		if uci -q get system.@system[0] >/dev/null 2>&1; then
+			uci set system.@system[0].log_file='/var/log/messages'
+			uci set system.@system[0].log_size='512'
+			uci commit system
+			/etc/init.d/log restart >/dev/null 2>&1
+		fi
 		cat > "$acquis_dir/openwrt-unified.yaml" << 'YAML'
 # OpenWrt Unified Syslog Acquisition
 # Auto-generated by SecuBox CrowdSec Wizard
-# Uses logread -f to stream all syslog entries
-# Covers: system logs, SSH/Dropbear, firewall (iptables/nftables)
-source: command
-command: /sbin/logread -f
+# Reads from /var/log/messages (busybox syslog)
+# Covers: system logs, SSH/Dropbear/OpenSSH, firewall (iptables/nftables)
+filenames:
+  - /var/log/messages
 labels:
  type: syslog
 YAML
@ -1410,7 +1418,7 @@ YAML
 		[ "$syslog_enabled" = "1" ] && enabled_sources="${enabled_sources}system "
 		[ "$ssh_enabled" = "1" ] && enabled_sources="${enabled_sources}SSH "
 		[ "$firewall_enabled" = "1" ] && enabled_sources="${enabled_sources}firewall "
-		steps_done="${steps_done}Created unified syslog acquisition (${enabled_sources}); "
+		steps_done="${steps_done}Configured syslog to file and created acquisition (${enabled_sources}); "
 	else
 		rm -f "$acquis_dir/openwrt-unified.yaml"
 		steps_done="${steps_done}Disabled syslog acquisition; "