Acquis.yaml and journald

stephdl · March 20, 2024, 3:47pm

Hello mates

When I use the acquis.yaml with journald I used to send each specific services like the documentation states

but with NethServer we cannot really know what we host on the server, I find an easy way (lazzy way) to push to crowdsec everything that I need

---
source: journalctl
journalctl_filter:
  - "_TRANSPORT=journal"
labels:
  type: syslog
---
source: journalctl
journalctl_filter:
  - "_TRANSPORT=syslog"
labels:
  type: syslog
---
source: journalctl
journalctl_filter:
  - "_TRANSPORT=stdout"
labels:
  type: syslog
---

I think that we could push also for the kernel that you could need if you want the iptables collection

looks for : _TRANSPORT=
https://www.man7.org/linux/man-pages/man7/systemd.journal-fields.7.html

Do you think I could make a PR to the documentation ?

iiAmLoz · March 20, 2024, 4:58pm

Yes I believe this should be added to the documentation but it should just inform you can use any journalctl arguments rather than listing them and probably reference the manpage.

Topic		Replies	Views
Have CrowdSec container read journald messages from host crowdsec	4	1640	July 1, 2023
Secure Wireguard with Crowdsec crowdsec	2	468	April 28, 2024
`cscli explain` a journald log? crowdsec	1	39	July 17, 2024
Crowdsec container and journald matches issues	4	1550	October 25, 2022
Acquis.yaml questions and other things crowdsec	5	3185	March 24, 2022

Acquis.yaml and journald

Related topics