Using this helm chart I can deploy agents + lapi successfully and it starts operating well.
In my setup I have agents processing traefik logs.
I used the following values:
agent:
acquisition:
- namespace: my-ns
podName: traefik-*
program: traefik
The setup comes up nicely and is working well for a while untill it gets "stuck" and no longer processes new activity. The last log lines are:
crowdsec-agent time="2026-03-11T18:45:07Z" level=info msg="Re-opening moved/deleted file /var/log/containers/traefik-gdxbd_my-ns_traefik-f77cf417756568018518abbf6cd0d4eb16a57eb2ccc4c44be55e91b5a34e343d.log ..."
crowdsec-agent time="2026-03-11T18:45:07Z" level=info msg="Waiting for /var/log/containers/traefik-gdxbd_my-ns_traefik-f77cf417756568018518abbf6cd0d4eb16a57eb2ccc4c44be55e91b5a34e343d.log to appear..."
A deeper look also shows crowdsec actually warns about this behavior: time="2026-03-12T10:49:02Z" level=warning msg="File /var/log/containers/traefik-gdxbd_my-ns_traefik-f77cf417756568018518abbf6cd0d4eb16a57eb2ccc4c44be55e91b5a34e343d.log is a symlink, but inotify polling is enabled. Crowdsec will not be able to detect rotation. Consider setting poll_without_inotify to true in your configuration" file=/var/log/containers/traefik-gdxbd_my-ns_traefik-f77cf417756568018518abbf6cd0d4eb16a57eb2ccc4c44be55e91b5a34e343d.log module=acquisition.file type=file
Still creating an issue to avoid others from hitting this. Suggestions of how to improve experience:
- Add warning in values file for the example
- Have default of
poll_without_inotify: true ( different from crowdsec default but makes sense as kubernetes environments will often have symlinks for the log-path that is used in this chart)
workaround
Adding poll_without_inotify: true does seem to resolve the issue.
Using this helm chart I can deploy agents + lapi successfully and it starts operating well.
In my setup I have agents processing traefik logs.
I used the following values:
The setup comes up nicely and is working well for a while untill it gets "stuck" and no longer processes new activity. The last log lines are:
A deeper look also shows crowdsec actually warns about this behavior:
time="2026-03-12T10:49:02Z" level=warning msg="File /var/log/containers/traefik-gdxbd_my-ns_traefik-f77cf417756568018518abbf6cd0d4eb16a57eb2ccc4c44be55e91b5a34e343d.log is a symlink, but inotify polling is enabled. Crowdsec will not be able to detect rotation. Consider setting poll_without_inotify to true in your configuration" file=/var/log/containers/traefik-gdxbd_my-ns_traefik-f77cf417756568018518abbf6cd0d4eb16a57eb2ccc4c44be55e91b5a34e343d.log module=acquisition.file type=fileStill creating an issue to avoid others from hitting this. Suggestions of how to improve experience:
poll_without_inotify: true( different from crowdsec default but makes sense as kubernetes environments will often have symlinks for the log-path that is used in this chart)workaround
Adding
poll_without_inotify: truedoes seem to resolve the issue.