From c1a9e841276586c2c16f393be800e4d5b7df17af Mon Sep 17 00:00:00 2001 From: kappa Date: Fri, 17 Apr 2026 07:30:22 +0900 Subject: [PATCH] =?UTF-8?q?crowdsec:=20Vector=20=5Fmsg=20=ED=91=9C?= =?UTF-8?q?=EC=A4=80=20nginx=20combined=20=ED=86=B5=EC=9D=BC,=20=EC=BB=A4?= =?UTF-8?q?=EC=8A=A4=ED=85=80=20=ED=8C=8C=EC=84=9C=20=EC=A0=9C=EA=B1=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Vector transform에서 Traefik JSON → 표준 nginx combined _msg 변환 - APISIX 서울도 _msg 재구성 (비표준 → 표준 nginx combined) - custom/apisix-logs 파서 제거, nginx-logs 하나로 통일 - CrowdSec VictoriaLogs Traefik acquisition type: nginx로 변경 --- infra/security/crowdsec-safeline.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/security/crowdsec-safeline.md b/infra/security/crowdsec-safeline.md index c6754a7..f4abb88 100644 --- a/infra/security/crowdsec-safeline.md +++ b/infra/security/crowdsec-safeline.md @@ -31,7 +31,7 @@ Traefik DaemonSet (stdout JSON accessLog) | Values | `~/k8s/vector/values.yaml` | | CrowdSec 포트 | 8086 | | 인증 | `Authorization: traefik-crowdsec-log-2024` | -| 파서 | `crowdsecurity/traefik-logs` (Hub, JSON 모드). APISIX: `custom/apisix-logs` (로컬, 서울 비표준 nginx 포맷 대응) | +| 파서 | `crowdsecurity/nginx-logs` (Hub, 표준 nginx combined). Vector에서 모든 로그를 표준 포맷으로 변환 후 VictoriaLogs 저장 | ### APISIX → VictoriaLogs → CrowdSec (서울+오사카 통합) @@ -49,7 +49,7 @@ Traefik DaemonSet (stdout JSON accessLog) | CrowdSec acquisition | `/etc/crowdsec/acquis.d/victorialogs-apisix.yaml` (`source: victorialogs`, `mode: tail`, `query: program:apisix log_type:access`) | | 서울 Vector | K3s DaemonSet (Helm `vector/vector`), `parse_apisix` transform → `vlogs` ES sink | | 오사카 Vector | Docker `timberio/vector:0.45.0-debian`, `/etc/vector/vector.yaml`, `docker_logs` source → `parse_apisix` → `vlogs` ES sink. `location: osaka` 필드 추가 | -| 파서 | `custom/apisix-logs` (로컬, 서울 format: `IP - user [date] HOST "req" status bytes req_time "ref" "ua"`) | +| 파서 | `crowdsecurity/nginx-logs` (Vector가 표준 nginx combined로 변환) | ### APISIX → log-collector → CrowdSec (sandbox-tokyo)