Secure Wireguard with Crowdsec

h725rk · April 28, 2024, 3:10pm

Hi,

I have installed the crowdsec collection for wireguard.
https://app.crowdsec.net/hub/author/crowdsecurity/collections/wireguard

But I have problems with the understandig how to use it.
I have activate the logging for wireguard and I see the logs in journalctl, when I use the follwing command:
journalctl -ek

Does I have to add the log in the acquis.yml like the follwing

journalctl_filter:

_SYSTEMD_UNIT=wg-quick@wg0.service
labels:
type: wireguard

or use crowdsec another way to check the logfiles from journalctl?

Thanks,
Robert

h725rk · April 28, 2024, 5:24pm

I found, if I use the the cmd “journalctl -u wg-quick@wg0.service” I see the status of the service, like is the service started, which IP and port is the service using, etc.
But, if I use the cmd “journalctl -ekf” I found the logs from the connection to the client, like heartbeat, failed auth, etc.
Does anyone know, how can I assign all logs to the service “wg-quick@wg0.sevice”. Maybe someone has a different approach.

h725rk · April 28, 2024, 5:40pm

Problem solved.

I have to point to the kernel-logs:

Add the following entry to /etc/crowdsec/acquis.yml:

source: journalctl
journalctl_filter:

Topic		Replies	Views
Acquis.yaml and journald	1	389	March 20, 2024
Watching logs for errors	3	700	January 27, 2024
Journalctl parsers fails (solved) crowdsec	4	1163	March 5, 2023
Have CrowdSec container read journald messages from host crowdsec	4	1641	July 1, 2023
`cscli explain` a journald log? crowdsec	1	39	July 17, 2024

Secure Wireguard with Crowdsec

Add the following entry to /etc/crowdsec/acquis.yml:

“_TRANSPORT=kernel” labels: type: syslog

Related topics

“_TRANSPORT=kernel”
labels:
type: syslog