Skip to content

crowdsec crashing caused by corrupt journald files #3478

New issue
New issue
Open
#3803
Open
crowdsec crashing caused by corrupt journald files#3478
#3803
Labels
kind/bugSomething isn't workingneeds/triageos/linux
@BPplays

Description

@BPplays
BPplays
opened on Feb 20, 2025

What happened?

crowdsec exits with this error when there is a corrupted journald file

 2月 20 10:22:04 censored crowdsec[1631985]: FATAL unable to start crowdsec routines: starting acquisition error: journalctl error : Journal file /var/log/journal/a9c76294199a4f88adf443b4c9e7ddf6/user-1000@875e8bb697bc464dad39bdc08199af20-0000000000000000-0000000000000000.journal corrupted, ignoring file.

What did you expect to happen?

journald seems to handle corrupted files fine so there doesn't seem to be a reason to crash in this case
see: this

How can we reproduce it (as minimally and precisely as possible)?

  1. have corrupted journald file, check with journalctl --verify
  2. try to run crowdsec

Anything else we need to know?

No response

Crowdsec version

$ cscli version
version: v1.6.5-debian-pragmatic-amd64-d8dcdc91
Codename: alphaga
BuildDate: 2025-02-07_14:53:23
GoVersion: 1.23.6
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.5-debian-pragmatic-amd64-d8dcdc91-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -a
Linux dns1.suzuko.org 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64 GNU/Linux

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here

Prometheus metrics

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't workingneeds/triageos/linux

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions