crowdsec: add nginx group so DynamicUser can read access.log
The agent runs as a systemd DynamicUser and was failing the nginx acquisition with "No matching files for pattern /var/log/nginx/access.log" because access.log is nginx:nginx 640 — readOnlyPaths handles sandbox visibility but not Unix perms. extraGroups = [ "nginx" ] gets it past the group bit. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
0125a1deb2
commit
709b6944ad
1 changed files with 4 additions and 1 deletions
|
|
@ -62,8 +62,11 @@ in
|
||||||
"crowdsecurity/whitelist-good-actors" # don't ban legit crawlers
|
"crowdsecurity/whitelist-good-actors" # don't ban legit crawlers
|
||||||
];
|
];
|
||||||
|
|
||||||
# Allow the agent to read nginx logs (it runs as DynamicUser).
|
# Allow the agent (DynamicUser) to read nginx logs:
|
||||||
|
# readOnlyPaths makes the dir visible inside the sandbox; extraGroups
|
||||||
|
# gets it past Unix perms (access.log is nginx:nginx 640).
|
||||||
readOnlyPaths = [ "/var/log/nginx" ];
|
readOnlyPaths = [ "/var/log/nginx" ];
|
||||||
|
extraGroups = [ "nginx" ];
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
# config.yaml — main agent + LAPI configuration
|
# config.yaml — main agent + LAPI configuration
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue