Have CrowdSec container read journald messages from host

Since the release of debian 12, it seems you cannot use the usual method to read syslog files from /var/log anymore. Instead, you have to use journalctl, so there’s a support article detailing how to modify acquis.yaml to include those logs using the method here.

What I’m unsure of is how to bring these logs into the docker container running crowdsec so that they may be read. Is it some sort of bind mount? I already have /var/log mounted to the container, and I thought that’s where the system journal resided. Or is there some other way I’m not aware of?

I probably should also mention that if I add the journalctl section into the acquis.yml file as shown in the link, my reverse proxy (Traefik) will not permit me to any of my sites. I get a 403 error. I assume this has something to do with forwardAuth and the Traefik bouncer, but why that would have anything to do with my acquisition yml, I don’t know:

source: journalctl
journalctl_filter:
  - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog
---
filenames:
  - /traefik/log/*
labels:
  type: "traefik"
---
filenames:
  - /authelia/log/*

The reason you are getting 403 from traefik is because if you container isnt the debian one it doesnt have jounalctl binary so it will crash the container and if the bouncer doesnt get a response from CrowdSec it will return 403 by default.

So question is are you using the debian container?

You’re absolutely right. I wasn’t aware there was another Debian-based container available, or that the default is Alpine. Thank you.

Edit:

Although @iiAmLoz is correct, it didn’t completely solve my issue. Make sure that if you have your journal file being written to /var/log, that you bind mount /var/log on your host to /run/log inside the container. For the time being, it seems the current image only expects the system.journal file to exist in /run/log/journal/...

Please find rest of thread here