crowdsec
crowdsec copied to clipboard
crowdsecurity
cscli setup detect --yaml fails in systemd containers (Podman)
What happened?
When running podman exec -it crowdsec cscli setup detect --yaml, the command fails with:
Error: cscli setup detect: "systemctl show systemd-remount-fs.service --all --no-pager": exit status 1
Running systemctl show systemd-remount-fs.service --all --no-pager inside the container returns:
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
What did you expect to happen?
the command should detect installed services and generate a setup file
How can we reproduce it (as minimally and precisely as possible)?
Start a CrowdSec container with Podman in rootless. Run podman exec -it crowdsec cscli setup detect --yaml.
Anything else we need to know?
crowdsec is running with quadlet (https://www.redhat.com/en/blog/quadlet-podman)
[Unit]
Description=CrowdSec security engine
Requires=internal-reverse-proxy.container
After=internal-reverse-proxy.container
[Container]
Image=docker.io/crowdsecurity/crowdsec:latest-debian
ContainerName=crowdsec
Environment="COLLECTIONS=crowdsecurity/linux crowdsecurity/caddy crowdsecurity/http-cve Dominic-Wagner/vaultwarden barnoux/caddy-coraza"
Environment=TZ=Europe/Paris
Volume=%h/.config/containers/crowdsec/acquis.d:/etc/crowdsec/acquis.d
Volume=%h/.config/containers/crowdsec/config.yaml:/etc/crowdsec/config.yaml
Volume=/var/log/caddy:/var/log/caddy:ro
Volume=/var/log/vaultwarden:/var/log/vaultwarden:ro
Volume=crowdsec-db:/var/lib/crowdsec/data
Volume=crowdsec-config:/etc/crowdsec
Network=internal-reverse-proxy.network
[Install]
WantedBy=multi-user.target default.target
Crowdsec version
$ cscli version
version: v1.7.0-c3036e21
Codename: alphaga
BuildDate: 2025-09-03_12:38:19
GoVersion: 1.24.6
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.7.0-c3036e21-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
OS version
# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ uname -a
Linux srvone4all 6.1.0-32-arm64 #1 SMP Debian 6.1.129-1 (2025-03-06) aarch64 GNU/Linux
</details>
### Enabled collections and parsers
<details>
```console
$ cscli hub list -o raw
Loaded: 147 parsers, 11 postoverflows, 765 scenarios, 9 contexts, 5 appsec-configs, 128 appsec-rules, 143 collections
name,status,version,description,type
barnoux/caddy-coraza,enabled,0.1,"Parse coraza, logs from the web server caddy",parsers
crowdsecurity/caddy-logs,enabled,1.1,Parse caddy logs,parsers
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/iptables-logs,enabled,0.6,Parse iptables drop logs,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.1,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.9,,parsers
crowdsecurity/whitelists,enabled,0.3,Whitelist events from private ipv4 addresses,parsers
Dominic-Wagner/vaultwarden-logs,enabled,0.4,Parse vaultwarden logs,parsers
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
barnoux/crs-anomaly-score,enabled,0.1,Web exploitation detected via Core Rule Set inbound anomaly scoring set by the user in crs-setup.conf,scenarios
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.6,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.4,Confluence - RCE (CVE-2022-26134),scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.3,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.3,F5 BIG-IP TMUI - RCE (CVE-2020-5902),scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.3,Grafana - Arbitrary File Read (CVE-2021-43798),scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.5,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.6,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: basic HTTP trigger,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sap-interface-probing,enabled,0.1,Detect generic HTTP SAP interface probing,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.3,Detect exploitation attempts against common WordPress endpoints,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/iptables-scan-multi_ports,enabled,0.3,Detect aggressive portscans,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.3,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.6,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
Dominic-Wagner/vaultwarden-bf,enabled,0.3,Detect vaultwarden bruteforce,scenarios
ltsich/http-w00tw00t,enabled,0.3,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/firewall_base,enabled,0.2,,contexts
crowdsecurity/http_base,enabled,0.3,,contexts
barnoux/caddy-coraza,enabled,0.1,Collection including parsers and scenarios for Caddy with Coraza WAF using OWASP Core Rule Set (CRS),collections
crowdsecurity/base-http-scenarios,enabled,1.2,http common : scanners detection,collections
crowdsecurity/caddy,enabled,0.1,caddy support : parser and generic http scenarios,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/iptables,enabled,0.2,iptables support : logs and port-scans detection scenarios,collections
crowdsecurity/linux,enabled,0.3,core linux support : syslog+geoip+ssh,collections
crowdsecurity/sshd,enabled,0.7,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.2,Good actors whitelists,collections
Dominic-Wagner/vaultwarden,enabled,0.1,Vaultwarden support : parser and brute-force detection,collections
Acquisition config
# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
/etc/crowdsec/acquis.d/*
filenames:
- /var/log/nginx/*.log
- ./tests/nginx/nginx.log
#this is not a syslog log, indicate which kind of logs it is
labels:
type: nginx
---
filenames:
- /var/log/auth.log
- /var/log/syslog
labels:
type: syslog
---
filename: /var/log/apache2/*.log
labels:
type: apache2
cat: '/etc/crowdsec/acquis.d/*': No such file or directory
Config show
$ cscli config show
Global:
- Configuration Folder : /etc/crowdsec
- Data Folder : /var/lib/crowdsec/data
- Hub Folder : /etc/crowdsec/hub
- Notification Folder : /etc/crowdsec/notifications
- Simulation File : /etc/crowdsec/simulation.yaml
- Log Folder : /var/log
- Log level : info
- Log Media : file
Crowdsec:
- Acquisition File : /etc/crowdsec/acquis.yaml
- Parsers routines : 1
- Acquisition Folder : /etc/crowdsec/acquis.d
cscli:
- Output : human
- Hub Branch :
API Client:
- URL : http://0.0.0.0:8080/
- Login : localhost
- Credentials File : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
- Listen URL : 0.0.0.0:8080
- Listen Socket :
- Profile File : /etc/crowdsec/profiles.yaml
- Trusted IPs:
- 127.0.0.1
- ::1
- 10.89.0.0/24
- Database:
- Type : sqlite
- Path : /var/lib/crowdsec/data/crowdsec.db
- Flush age : 168h0m0s
- Flush size : 5000
Prometheus metrics
$ cscli metrics
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics │
├───────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/caddy/caddy.log │ 641 │ 345 │ 296 │ 168 │ - │
│ file:/var/log/vaultwarden/vaultwarden.log │ 1 │ - │ 1 │ - │ - │
╰───────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭─────────────────────────────────────────────────────────────────────────────────────╮
│ Bouncer Metrics ([email protected]) since 2025-10-09 09:24:34 +0000 UT │
│ C │
├────────────────────────────┬──────────────────┬─────────────────┬───────────────────┤
│ Origin │ active_decisions │ dropped │ processed │
│ │ IPs │ bytes │ packets │ bytes │ packets │
├────────────────────────────┼──────────────────┼───────┼─────────┼─────────┼─────────┤
│ CAPI (community blocklist) │ 5.12k │ 0 │ 0 │ - │ - │
│ lists:firehol_cybercrime │ 167 │ 0 │ 0 │ - │ - │
├────────────────────────────┼──────────────────┼───────┼─────────┼─────────┼─────────┤
│ Total │ 5.28k │ 0 │ 0 │ 416.87M │ 1.63M │
╰────────────────────────────┴──────────────────┴───────┴─────────┴─────────┴─────────╯
╭─────────────────────────────────────────────────╮
│ Local API Decisions │
├───────────────────────┬────────┬────────┬───────┤
│ Reason │ Origin │ Action │ Count │
├───────────────────────┼────────┼────────┼───────┤
│ generic:scan │ CAPI │ ban │ 30 │
│ http:crawl │ CAPI │ ban │ 1416 │
│ http:scan │ CAPI │ ban │ 702 │
│ ssh:exploit │ CAPI │ ban │ 102 │
│ tcp:scan │ CAPI │ ban │ 255 │
│ http:bruteforce │ CAPI │ ban │ 816 │
│ http:exploit │ CAPI │ ban │ 1094 │
│ ssh:bruteforce │ CAPI │ ban │ 694 │
│ vm-management:exploit │ CAPI │ ban │ 7 │
│ firehol_cybercrime │ lists │ ban │ 174 │
╰───────────────────────┴────────┴────────┴───────╯
╭───────────────────────────────────────╮
│ Local API Metrics │
├──────────────────────┬────────┬───────┤
│ Route │ Method │ Hits │
├──────────────────────┼────────┼───────┤
│ /v1/decisions/stream │ GET │ 91703 │
│ /v1/heartbeat │ GET │ 15284 │
│ /v1/usage-metrics │ POST │ 1528 │
│ /v1/watchers/login │ POST │ 260 │
╰──────────────────────┴────────┴───────╯
╭────────────────────────────────────────────────────────────────────────╮
│ Local API Bouncers Metrics │
├────────────────────────────────┬──────────────────────┬────────┬───────┤
│ Bouncer │ Route │ Method │ Hits │
├────────────────────────────────┼──────────────────────┼────────┼───────┤
│ [email protected] │ /v1/decisions/stream │ GET │ 91703 │
╰────────────────────────────────┴──────────────────────┴────────┴───────╯
╭────────────────────────────────────────────╮
│ Local API Machines Metrics │
├───────────┬───────────────┬────────┬───────┤
│ Machine │ Route │ Method │ Hits │
├───────────┼───────────────┼────────┼───────┤
│ localhost │ /v1/heartbeat │ GET │ 15284 │
╰───────────┴───────────────┴────────┴───────╯
╭───────────────────────────────────────────────────────────────────╮
│ Parser Metrics │
├───────────────────────────────────────┬───────┬────────┬──────────┤
│ Parsers │ Hits │ Parsed │ Unparsed │
├───────────────────────────────────────┼───────┼────────┼──────────┤
│ Dominic-Wagner/vaultwarden-logs │ 1 │ - │ 1 │
│ barnoux/caddy-coraza │ 641 │ 1 │ 640 │
│ child-Dominic-Wagner/vaultwarden-logs │ 4 │ - │ 4 │
│ child-barnoux/caddy-coraza │ 641 │ 1 │ 640 │
│ child-crowdsecurity/http-logs │ 1.03k │ 730 │ 302 │
│ crowdsecurity/caddy-logs │ 344 │ 344 │ - │
│ crowdsecurity/dateparse-enrich │ 345 │ 345 │ - │
│ crowdsecurity/geoip-enrich │ 345 │ 345 │ - │
│ crowdsecurity/http-logs │ 344 │ 344 │ - │
│ crowdsecurity/non-syslog │ 642 │ 642 │ - │
│ crowdsecurity/public-dns-allowlist │ 345 │ 345 │ - │
│ crowdsecurity/whitelists │ 345 │ 345 │ - │
╰───────────────────────────────────────┴───────┴────────┴──────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scenario Metrics │
├──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-crawl-non_statics │ - │ - │ 113 │ 168 │ 113 │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯
╭───────────────────────────────────────────────────────────────────────────────────────╮
│ Whitelist Metrics │
├────────────────────────────────────┬─────────────────────────────┬──────┬─────────────┤
│ Whitelist │ Reason │ Hits │ Whitelisted │
├────────────────────────────────────┼─────────────────────────────┼──────┼─────────────┤
│ crowdsecurity/public-dns-allowlist │ public DNS server │ 345 │ - │
│ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 345 │ - │
╰────────────────────────────────────┴─────────────────────────────┴──────┴─────────────╯
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
@Barnoux: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
- Check Crowdsec Documentation to see if your issue can be self resolved.
- You can also join our Discord.
- Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello
what is your intent here?
Do you have systemd services running in the same container? If not (which I suppose is the case) you can disable systemd probing with cscli setup detect --yaml --skip-systemd. But still, it would detect services running in the crowdsec container itself.
otherwise, if you want to use the container to probe systemd services in the host, you need to give the access, for example
$ podman run -e CROWDSEC_BYPASS_DB_VOLUME_CHECK=true \
-v /run/systemd/system:/run/systemd/system \
-v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket \
docker.io/crowdsecurity/crowdsec:latest-debian
We provide the debian-based image with systemd to use the journal datasource (after mounting the log directory). we don't call service detection in the entrypoint, at least not yet
Hello,
My intend is to verify that i don't miss any scenarios from the log sources that crowdsec collect at the moment, in my case the log sources currently collected are:
- vaultwarden,
- caddy.
Does using cscli setup detect is the right tool to detect all possible scenario from the logs sources ?
since i'm not collecting systemd log your suggestion works for me, thank you