Log Processor No Logs Read
The Log Processor No Logs Read issue means the LP is running but has not acquired any log lines in the last 24 hours.
This is the first step in the detection pipeline and must work for CrowdSec to function.
What Triggers This Issueโ
- Trigger condition: No logs acquired for 24 hours
- Criticality: ๐ฅ Critical
- Impact: Complete detection failure - no logs means no alerts
Common Root Causesโ
- Missing or incorrect acquisition configuration: No acquisition files exist, or they do not reference the correct datasource
- File permission issues: CrowdSec doesn't have read access to the log files.
- Log files are empty or not being written: The services being monitored aren't generating logs.
- Incorrect Acquisition endpoint configuration: Error in endpoint config, for acquisition types listening for incoming data (httpLogs, syslog,...)
- Acquisition type mismatch: Wrong datasource type configured (e.g., using
fileinstead ofjournald). - Container/Kubernetes volume issues: In containerized deployments, logs aren't mounted or accessible to the CrowdSec container.
Diagnosis & Resolutionโ
Missing Acquisition Configurationโ
๐ Check if acquisition configuration existsโ
SH
# Default single file acquisition configuration
sudo cat /etc/crowdsec/acquis.yaml
# Recommended, per-datasource acquisitions configuration files
sudo ls -la /etc/crowdsec/acquis.d/
Run this command for Docker or Kubernetes
SH
docker exec crowdsec cat /etc/crowdsec/acquis.yaml
docker exec crowdsec ls -la /etc/crowdsec/acquis.d/
SH
kubectl get configmap -n crowdsec -o yaml
If these files are empty or missing, create acquisition configuration.
Also check acquisition metrics:
SH
sudo cscli metrics show acquisition
Run this command for Docker or Kubernetes
SH
docker exec crowdsec cscli metrics show acquisition
SH
kubectl exec -n crowdsec -it <agent-pod> -- cscli metrics show acquisition
What to look for:
- If the output is empty or shows 0 "Lines read", acquisition is not working
- If sources are listed but "Lines read" is 0, the source exists but isn't reading data
๐ ๏ธ Create acquisition configuration for your deploymentโ
The acquisition configuration tells CrowdSec which logs to read. Configuration varies by deployment:
File Permission Issuesโ
๐ Test if CrowdSec can read log filesโ
SH
# Check logs permissions to see if they can be read by CrowdSec
ls -la /var/log/nginx/
๐ ๏ธ Grant CrowdSec read access to log filesโ
If CrowdSec can't read log files:
SH
# Or adjust log file permissions or find files you have read access to
sudo chmod 644 /var/log/nginx/access.log
# Restart CrowdSec to pick up group membership
sudo systemctl restart crowdsec
Log Files Empty or Not Being Writtenโ
๐๐ ๏ธ Verify log files exist and have recent contentโ
SH
# Verify log file exists
ls -la /var/log/nginx/access.log
# Check if it has recent content
tail -10 /var/log/nginx/access.log
# Check last modification time
stat /var/log/nginx/access.log
๐ ๏ธ If your files are empty fix your logging or change your acquisition configuration to point at the appropriate files
Detailed Acquisition Documentationโ
For more information on acquisition configuration:
- Datasources Documentation
- File datasource
- Journald datasource
- Hub collection pages - each collection shows example acquisition config
Related Issuesโ
- Log Processor No Logs Parsed - Next step if logs are read but not parsed
- Log Processor No Alerts - If logs are read and parsed but scenarios don't trigger
- Engine No Alerts - Similar issue at the Security Engine level
Getting Helpโ
If acquisition still does not work:
- Share your acquisition config on Discourse
- Ask on Discord with your
cscli metricsoutput and acquisition files - Check for similar issues in the GitHub repository