Hello !
First of all, thanks for your work, my setup works and I’m just coming back to share what I did (maybe it can help someone else who knows).
So I’m using the crowdsec/crowdsec helm chart in order to deploy crowdsec on kubernetes and I just needed to redirect the alerts to the standard output of the lapi pod in order to retrieve them with a log collector (vector).
Here’s the values.yaml I’m using:
image:
# -- docker image repository name
repository: crowdsecurity/crowdsec
# -- pullPolicy
pullPolicy: IfNotPresent
# -- docker image tag
tag: "dev"
container_runtime: containerd
agent:
# To specify each pod you want to process it logs (pods present in the node)
additionalAcquisition: []
# - source: kinesis
# stream_name: my-stream
# labels:
# type: mytype
# - source: syslog
# listen_addr: 127.0.0.1
# listen_port: 4242
# labels:
# type: syslog
acquisition:
# The namespace where the pod is located
- namespace: crowd-test
# The pod name
podName: ingress-crowd-test-ingress-nginx-controller-*
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
program: nginx
- namespace: crowd-test
# The pod name
podName: ingress-crowd-test-ingress-nginx-controller-*
# Those are ENV variables
env:
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
# As we are running Nginx, we want to install the Nginx collection
- name: COLLECTIONS
value: "crowdsecurity/nginx"
- name: DISABLE_PARSERS
value: "crowdsecurity/whitelists"
lapi:
env:
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
config:
config.yaml.local: |
# here I needed to run the plugin with root privilege in order to write in /proc/1/fd/1
plugin_config:
user: "root"
group: "root"
# db_config:
# type: postgresql
# user: crowdsec
# password: ${DB_PASSWORD}
# db_name: crowdsec
# host: 192.168.0.2
# port: 5432
# sslmode: require
# -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro)
notifications:
files.yaml: |
type: file
name: file_default # this must match with the registered plugin in the profile
log_level: info # Options include: trace, debug, info, warn, error, off
# This template render all events as ndjson
format: |
{{range . -}}
{ "time": "{{.StopAt}}", "program": "crowdsec", "alert": {{. | toJson }} }
{{ end -}}
# you can't write on /dev/stdout because only the process with PID 1 will give output on k8s
log_path: "/proc/1/fd/1"
rotate:
enabled: false # Change to false if you want to handle log rotate on system basis
max_size: 500
max_files: 5
max_age: 5
compress: true
log_format:
custom_format: "%msg%" # https://github.com/t-tomalak/logrus-easy-formatter
profiles.yaml:
|
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
- file_default
on_success: break
I’m aware that it’s a bit of a messy solution but at the moment I haven’t found another way to do it, if you have any suggestions I’m open to that.