Hello, I have MSSQL installed on Linux Debian 12 and Crowdsec as well. Now I’m trying to secure it, but I’m failing at the acquisition stage. What do I need to specify here on Linux?
My MSSQL Log file is:
- /var/opt/mssql/log/errorlog
an get an Error in this file while Password wrong.
2025-04-24 21:54:06.12 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 192.168.178.xx]
I currently have:
#Generated acquisition file - wizard.sh (service: ssh) / files :
journalctl_filter:
- _SYSTEMD_UNIT=ssh.service
labels:
type: syslog
filenames:
- /var/opt/mssql/log/errorlog
labels:
type: mssql
and Metrics i get only:
╭──────────────────────────────────────────╮
│ Local API Decisions │
├────────────────┬────────┬────────┬───────┤
│ Reason │ Origin │ Action │ Count │
├────────────────┼────────┼────────┼───────┤
│ ssh:bruteforce │ CAPI │ ban │ 10442 │
│ ssh:exploit │ CAPI │ ban │ 1611 │
╰────────────────┴────────┴────────┴───────╯
hi
can you be more explicite please
where i have to put this ?
filenames:
- /var/opt/mssql/log/errorlog
labels:
type: mssql
thank s a lot
where i have to put this ?
Depending on how you install CrowdSec either:
- (Docker) you mount a file to
/etc/crowdsec/acquis.d/mysql.yaml
- (Bare metal) you create a file
/etc/crowdsec/acquis.d/mysql.yaml
This is outlined in our post installation instructions
it s bare metal
/etc/crowdsec/acquis.d/mysql.yaml
crowdsec work
but did not ban user attacs on mssql
2025-07-14 16:20:40.16 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 187.188.131.170]
2025-07-14 16:20:53.92 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:20:53.92 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 210.114.12.149]
2025-07-14 16:22:04.48 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:22:04.48 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 27.118.26.25]
2025-07-14 16:22:34.26 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:22:34.26 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 69.67.97.110]
2025-07-14 16:23:28.77 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:23:28.77 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 198.38.88.89]
2025-07-14 16:24:07.95 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:24:07.95 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 110.249.209.100]
2025-07-14 16:25:48.69 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:25:48.69 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 49.207.182.231]
2025-07-14 16:26:03.31 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:26:03.31 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 200.27.18.104]
2025-07-14 16:26:46.41 Logon Error: 18456, Severity: 14, State: 8.
2025-07-14 16:26:46.41 Logon Login failed for user ‘sa’. Reason: Password did not match that for the login provided. [CLIENT: 217.58.12.61]
also when i check crowdsec with : cscli hub list
everithing its ok
also crowdsec it running on my debian server 12.11
crowdsecurity/ssh-slow-bf register bloked clients
but not for mssql evan in mssql log i have clients who try
Can you check cscli metrics to see if the file is being read and parsed.
Cause when you configure the file your meant to restart the service so it picks up the new configuration via systemctl restart crowdsec
also checking the OP example they spelt mysql wrong in the label type, please check the hub for a configuration example Collections, AppSec Rules & Configurations | CrowdSec Hub - CrowdSec Console
i did checked before , it does make it ok
also checking the OP example they spelt mysql wrong in the label type
i did corrected before with mssql
and here i have /etc/crowdsec/acquis.d/mssql.yaml
somewhere it s a chache and i didnt figured out yet where