I recently discovered Crowdsc and got it up and running on in a VM as the “central” node and as a container on my Traefik server (running as a Docker container). I find much to like about the functionality of Crowdsec as well as the concept behind it. However, specifically, the Docker functionality gives me pause.
Almost every application I have in my home network (Traefik, Home Assistant, Calibre, Grocy, Plex, etc.) is running as Docker containers and I have instrumented the setup to use Promtail/Loki as a Docker Log driver and a central Loki server ingesting logs from every application/service. This means that Crowdsec tapping into the Docker containers to ingest logs in most cases will do nothing as the driver has already pushed the logs to the Loki server.
I have alerts set up on the Loki and Prometheus services through Grafana, so removing Loki from the equation will significantly degrade the management of my network.
For those of you that rely heavily on Docker. Are you also using Loki to manage your logs and if so how are you getting these logs into Crowdsec?
Also, to the Crowdset team: How would you suggest I set up a centralized log ingestion from Loki so I can take advantage of Crowdsec?