diff --git a/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard b/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard index f805663a..4fcce05d 100755 --- a/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard +++ b/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard @@ -1394,15 +1394,23 @@ configure_acquisition() { rm -f "$acquis_dir/openwrt-dropbear.yaml" 2>/dev/null # Create unified syslog acquisition if any syslog-based source is enabled - # SSH, firewall, and system logs all go through OpenWrt's logread + # SSH, firewall, and system logs all go through /var/log/messages + # NOTE: CrowdSec doesn't support "source: command" - must use file-based acquisition if [ "$syslog_enabled" = "1" ] || [ "$firewall_enabled" = "1" ] || [ "$ssh_enabled" = "1" ]; then + # Ensure busybox syslog writes to file (required for CrowdSec) + if uci -q get system.@system[0] >/dev/null 2>&1; then + uci set system.@system[0].log_file='/var/log/messages' + uci set system.@system[0].log_size='512' + uci commit system + /etc/init.d/log restart >/dev/null 2>&1 + fi cat > "$acquis_dir/openwrt-unified.yaml" << 'YAML' # OpenWrt Unified Syslog Acquisition # Auto-generated by SecuBox CrowdSec Wizard -# Uses logread -f to stream all syslog entries -# Covers: system logs, SSH/Dropbear, firewall (iptables/nftables) -source: command -command: /sbin/logread -f +# Reads from /var/log/messages (busybox syslog) +# Covers: system logs, SSH/Dropbear/OpenSSH, firewall (iptables/nftables) +filenames: + - /var/log/messages labels: type: syslog YAML @@ -1410,7 +1418,7 @@ YAML [ "$syslog_enabled" = "1" ] && enabled_sources="${enabled_sources}system " [ "$ssh_enabled" = "1" ] && enabled_sources="${enabled_sources}SSH " [ "$firewall_enabled" = "1" ] && enabled_sources="${enabled_sources}firewall " - steps_done="${steps_done}Created unified syslog acquisition (${enabled_sources}); " + steps_done="${steps_done}Configured syslog to file and created acquisition (${enabled_sources}); " else rm -f "$acquis_dir/openwrt-unified.yaml" steps_done="${steps_done}Disabled syslog acquisition; "