Since the release of debian 12, it seems you cannot use the usual method to read syslog files from /var/log anymore. Instead, you have to use journalctl, so there’s a support article detailing how to modify
acquis.yaml to include those logs using the method here.
What I’m unsure of is how to bring these logs into the docker container running crowdsec so that they may be read. Is it some sort of bind mount? I already have /var/log mounted to the container, and I thought that’s where the system journal resided. Or is there some other way I’m not aware of?
I probably should also mention that if I add the journalctl section into the acquis.yml file as shown in the link, my reverse proxy (Traefik) will not permit me to any of my sites. I get a 403 error. I assume this has something to do with forwardAuth and the Traefik bouncer, but why that would have anything to do with my acquisition yml, I don’t know:
source: journalctl journalctl_filter: - "_SYSTEMD_UNIT=ssh.service" labels: type: syslog --- filenames: - /traefik/log/* labels: type: "traefik" --- filenames: - /authelia/log/*