Secure Wireguard with Crowdsec

h725rk · April 28, 2024, 3:10pm

Hi,

I have installed the crowdsec collection for wireguard.
https://app.crowdsec.net/hub/author/crowdsecurity/collections/wireguard

But I have problems with the understandig how to use it.
I have activate the logging for wireguard and I see the logs in journalctl, when I use the follwing command:
journalctl -ek

Does I have to add the log in the acquis.yml like the follwing

journalctl_filter:

_SYSTEMD_UNIT=wg-quick@wg0.service
labels:
type: wireguard

or use crowdsec another way to check the logfiles from journalctl?

Thanks,
Robert

h725rk · April 28, 2024, 5:24pm

I found, if I use the the cmd “journalctl -u wg-quick@wg0.service” I see the status of the service, like is the service started, which IP and port is the service using, etc.
But, if I use the cmd “journalctl -ekf” I found the logs from the connection to the client, like heartbeat, failed auth, etc.
Does anyone know, how can I assign all logs to the service “wg-quick@wg0.sevice”. Maybe someone has a different approach.

h725rk · April 28, 2024, 5:40pm

Problem solved.

I have to point to the kernel-logs:

Add the following entry to /etc/crowdsec/acquis.yml:

source: journalctl
journalctl_filter:

Topic		Replies	Views
Acquis.yaml and journald	1	264	March 20, 2024
Watching logs for errors	3	545	January 27, 2024
Have CrowdSec container read journald messages from host crowdsec	4	1361	July 1, 2023
Logs in Dominic-Wagner/vaultwarden collection are not getting parsed	10	311	April 4, 2024
Using CyberPanel OpenliteSpeed and Crowdsec	4	889	August 31, 2023

Secure Wireguard with Crowdsec

Add the following entry to /etc/crowdsec/acquis.yml:

“_TRANSPORT=kernel” labels: type: syslog

Related Topics

“_TRANSPORT=kernel”
labels:
type: syslog