Hello there !
I installed Crowdsec on my Debian / LAMP server, running Nextcloud. I’ve checked if my questions were answered elsewhere but I can’t seem to find what I need. I am confused about how the whole thing works despite looking at a bunch of tutorials.
I connected the cscli to Crowdsec Hub, added apache2, ssh and nextcloud collections, configured the log files… It was working fine, showing me alerts so something was up. I didn’t use my server for a month and by using today, it’s been up for 4hours and I had no new alerts since then.
Questions :
- Is it normal behaviour ? Do alerts take time to show up ?
- The Crowdsec Hub is telling me my version is outdated but apt is telling me it’s up to date with version 1.4.6-6~deb12u1 (which is obviously not the latest). What is the solution to update to newest ?
- I can see in the acquis.yaml which log files are listed, among them syslog.log and auth.log which are out of date as of Debian 12. Indeed /var/log/crowdsec.log says it doesn’t find them. Debian 12 documentation says syslog and auth logs are only accessible via the journalctl command now. Does Crowdsec automatically checks that ?
- The nextcloud collection is installed (appears in
cscli collections list), but do I need to install a bouncer dedicated to nextcloud ? I already have a firewall bouncer => can it take malicious IPs threatening Nextcloud and create a firewall rule against them ? Or am I completely missing how Crowdsec works ?
Thanks for your answers
Vincent