Hello, I have MSSQL installed on Linux Debian 12 and Crowdsec as well. Now I’m trying to secure it, but I’m failing at the acquisition stage. What do I need to specify here on Linux?
My MSSQL Log file is:
- /var/opt/mssql/log/errorlog
an get an Error in this file while Password wrong.
2025-04-24 21:54:06.12 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 192.168.178.xx]
I currently have:
#Generated acquisition file - wizard.sh (service: ssh) / files :
journalctl_filter:
- _SYSTEMD_UNIT=ssh.service
labels:
type: syslog
filenames:
- /var/opt/mssql/log/errorlog
labels:
type: mssql
and Metrics i get only:
╭──────────────────────────────────────────╮
│ Local API Decisions │
├────────────────┬────────┬────────┬───────┤
│ Reason │ Origin │ Action │ Count │
├────────────────┼────────┼────────┼───────┤
│ ssh:bruteforce │ CAPI │ ban │ 10442 │
│ ssh:exploit │ CAPI │ ban │ 1611 │
╰────────────────┴────────┴────────┴───────╯