Acquis.yaml and journald

stephdl · March 20, 2024, 3:47pm

Hello mates

When I use the acquis.yaml with journald I used to send each specific services like the documentation states

but with NethServer we cannot really know what we host on the server, I find an easy way (lazzy way) to push to crowdsec everything that I need

---
source: journalctl
journalctl_filter:
  - "_TRANSPORT=journal"
labels:
  type: syslog
---
source: journalctl
journalctl_filter:
  - "_TRANSPORT=syslog"
labels:
  type: syslog
---
source: journalctl
journalctl_filter:
  - "_TRANSPORT=stdout"
labels:
  type: syslog
---

I think that we could push also for the kernel that you could need if you want the iptables collection

looks for : _TRANSPORT=
https://www.man7.org/linux/man-pages/man7/systemd.journal-fields.7.html

Do you think I could make a PR to the documentation ?

iiAmLoz · March 20, 2024, 4:58pm

Yes I believe this should be added to the documentation but it should just inform you can use any journalctl arguments rather than listing them and probably reference the manpage.

Topic		Replies	Views
Have CrowdSec container read journald messages from host crowdsec	4	1018	July 1, 2023
Crowdsec container and journald matches issues	4	1213	October 25, 2022
Acquis.yaml questions and other things crowdsec	5	2257	March 24, 2022
Watching logs for errors	3	272	January 27, 2024
Using CyberPanel OpenliteSpeed and Crowdsec	4	764	August 31, 2023

Acquis.yaml and journald

Related Topics