From 27da0bb48cb3d02db52528c0e6a3a959d007cb5a Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Sun, 11 Jan 2026 07:23:25 +0100 Subject: [PATCH] fix: Auto-configure syslog file logging for CrowdSec OpenWrt uses logd by default which doesn't write to files. CrowdSec file-based acquisition needs /var/log/messages to exist. Changes: - Init script: setup_syslog() configures log_file before each start - Defaults script: setup_syslog_file() configures at install time - openwrt-syslog.yaml: Remove non-existent /var/log/syslog reference The init script sets: uci set system.@system[0].log_file='/var/log/messages' uci set system.@system[0].log_size='512' Co-Authored-By: Claude Opus 4.5 --- .../files/acquis.d/openwrt-syslog.yaml | 4 +-- .../files/crowdsec.defaults | 29 +++++++++++++++++++ .../secubox-app-crowdsec/files/crowdsec.initd | 26 +++++++++++++++++ 3 files changed, 57 insertions(+), 2 deletions(-) diff --git a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml b/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml index 0a6eb1fb..1526257a 100644 --- a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml +++ b/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml @@ -10,10 +10,10 @@ # cscli collections install crowdsecurity/linux # cscli parsers install crowdsecurity/syslog-logs -# File-based acquisition for syslog (if log_file is configured) +# File-based acquisition for syslog +# The init script configures OpenWrt to write logs to /var/log/messages filenames: - /var/log/messages - - /var/log/syslog labels: type: syslog --- diff --git a/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults b/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults index 13a3a21e..28fcfc9c 100644 --- a/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults +++ b/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults @@ -232,6 +232,32 @@ EOF fi } +# Configure OpenWrt to write logs to file +setup_syslog_file() { + echo "Configuring syslog file logging..." + + local log_file + log_file=$(uci -q get system.@system[0].log_file) + + if [ -z "$log_file" ]; then + echo "Enabling syslog file logging for CrowdSec acquisition" + uci set system.@system[0].log_file='/var/log/messages' + uci set system.@system[0].log_size='512' + uci commit system + /etc/init.d/log restart + # Wait for log file to be created + sleep 2 + else + echo "Syslog file already configured: $log_file" + fi + + # Ensure log file exists + if [ ! -f /var/log/messages ]; then + touch /var/log/messages + chmod 644 /var/log/messages + fi +} + # Detect and configure OpenWrt-specific log sources detect_openwrt_logs() { echo "Detecting OpenWrt log sources..." @@ -291,6 +317,9 @@ main() { # Install Hub collections and parsers install_hub_items + # Setup syslog file logging (required for file-based acquisition) + setup_syslog_file + # Detect OpenWrt log sources detect_openwrt_logs diff --git a/package/secubox/secubox-app-crowdsec/files/crowdsec.initd b/package/secubox/secubox-app-crowdsec/files/crowdsec.initd index 98962758..f5788c6f 100755 --- a/package/secubox/secubox-app-crowdsec/files/crowdsec.initd +++ b/package/secubox/secubox-app-crowdsec/files/crowdsec.initd @@ -14,6 +14,31 @@ service_triggers() { procd_add_reload_trigger crowdsec } +setup_syslog() { + # CrowdSec needs log files to exist for acquisition + # OpenWrt uses logd by default which doesn't write to files + # Enable file logging so CrowdSec can read from /var/log/messages + + local log_file + log_file=$(uci -q get system.@system[0].log_file) + + if [ -z "$log_file" ]; then + logger -t crowdsec "Enabling syslog file logging for CrowdSec acquisition" + uci set system.@system[0].log_file='/var/log/messages' + uci set system.@system[0].log_size='512' + uci commit system + /etc/init.d/log restart + # Wait for log file to be created + sleep 2 + fi + + # Ensure log file exists + if [ ! -f /var/log/messages ]; then + touch /var/log/messages + chmod 644 /var/log/messages + fi +} + init_config() { config_load crowdsec config_get data_dir crowdsec data_dir "${RUNCONFDIR}" @@ -36,6 +61,7 @@ init_config() { } start_service() { + setup_syslog init_config procd_open_instance