Secure Wireguard with Crowdsec


I have installed the crowdsec collection for wireguard.

But I have problems with the understandig how to use it.
I have activate the logging for wireguard and I see the logs in journalctl, when I use the follwing command:
journalctl -ek

Does I have to add the log in the acquis.yml like the follwing


type: wireguard

or use crowdsec another way to check the logfiles from journalctl?


I found, if I use the the cmd “journalctl -u wg-quick@wg0.service” I see the status of the service, like is the service started, which IP and port is the service using, etc.
But, if I use the cmd “journalctl -ekf” I found the logs from the connection to the client, like heartbeat, failed auth, etc.
Does anyone know, how can I assign all logs to the service “wg-quick@wg0.sevice”. Maybe someone has a different approach.

Problem solved.

I have to point to the kernel-logs:

Add the following entry to /etc/crowdsec/acquis.yml:

source: journalctl

type: syslog