Yes it doable here a step by step guide:
1: Setup acquisition (You may have already done this)
source: journalctl
journalctl_filter:
- "_HOSTNAME=myhostname"
labels:
type: syslog
onlyerrors: ""
Key thing to point out we want to create an extra label to make sure we filter other journalctl sources out (I know this might be your only one but want to make sure if anyone finds this post it will work too)
2: Setup a s01-parser to filter and only find valid error lines
## /etc/crowdsec/s01-parse/journald-errors.yaml
onsuccess: next_stage
debug: false
filter: "'onlyerrors' in evt.Line.Labels && evt.Line.Module == 'journalctl' && Lower(evt.Line.Raw) contains 'error'"
name: me/jounalctl-errors
description: "Parse error logs"
statics:
- meta: log_type
value: journalctl-error
## We assign the raw line to Meta attribute so we can get access in notifications
- meta: raw
expression: "evt.Line.Raw"
Now once that is complete we have to create a trigger bucket so every single even will generate an alert. (Later in notifications we will use alert grouping if you want to stop spamming thats if you want)
3: Trigger bucket scenario
## /etc/crowdsec/scenarios/journalctl-error.yaml
type: trigger
name: me/journalctl-error
description: "Trigger bucket for single journalctl error"
filter: "evt.Meta.log_type == 'journalctl-error'"
capacity: 0
labels:
remediation: false
scope:
type: error
expression: "1"
4: Profiles catch to alert
name: journalctl-error
filters:
- Alert.Remediation == false && Alert.GetScenario() == "me/journalctl-error"
notifications:
- slack_default
on_success: break
## VERY IMPORTANT LINE YOU NEED TO BREAK HERE ##
---
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
notifications:
- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break
---
5: Notification template to show raw lines
format: |
{{range . -}}
{{range GetMeta . "raw" -}}
{{.}}
{{end -}}
{{end -}}
The above template will iterate over each alert and key to dump them into the notification body. Other options I would suggest using is the group_threshold: 10 since if you do not it will spam a notification every single alert.
Drawbacks to using CrowdSec for not the intended purpose:
cscli alerts list without filters will become useless as it will show all alerts
+------+-------+---------------------+---------+----+-----------+-----------------------------------------+
| ID | value | reason | country | as | decisions | created_at |
+------+-------+---------------------+---------+----+-----------+-----------------------------------------+
| 1861 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.509423252 +0000 UTC |
| 1860 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.509311235 +0000 UTC |
| 1859 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.509054715 +0000 UTC |
| 1858 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.508737757 +0000 UTC |
| 1857 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.508581164 +0000 UTC |
| 1856 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.507880999 +0000 UTC |
| 1855 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.507516435 +0000 UTC |
| 1854 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.507295145 +0000 UTC |
| 1853 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.507184672 +0000 UTC |
| 1852 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.501442395 +0000 UTC |
| 1851 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.501318035 +0000 UTC |
| 1850 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.501172189 +0000 UTC |
| 1849 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.501098466 +0000 UTC |
| 1848 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.500983435 +0000 UTC |
| 1847 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.500783466 +0000 UTC |
| 1846 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.500675253 +0000 UTC |
| 1845 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.50054052 +0000 UTC |
| 1844 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.500145738 +0000 UTC |
| 1843 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.499992259 +0000 UTC |
| 1842 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.499939758 +0000 UTC |
| 1841 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.499788858 +0000 UTC |
| 1840 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.499482766 +0000 UTC |
| 1839 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.499341501 +0000 UTC |
| 1838 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.499184742 +0000 UTC |
| 1837 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.499089219 +0000 UTC |
| 1836 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.498872092 +0000 UTC |
| 1835 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.498742034 +0000 UTC |
| 1834 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.498546261 +0000 UTC |
| 1833 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.498447402 +0000 UTC |
| 1832 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.498225645 +0000 UTC |
| 1831 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.498036177 +0000 UTC |
| 1830 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.497944237 +0000 UTC |
| 1829 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.497643397 +0000 UTC |
| 1828 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.497406333 +0000 UTC |
| 1827 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.497314436 +0000 UTC |
| 1826 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.497183044 +0000 UTC |
| 1825 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.496918471 +0000 UTC |
| 1824 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.496701316 +0000 UTC |
| 1823 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.496639739 +0000 UTC |
| 1822 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.496346228 +0000 UTC |
| 1821 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.496135023 +0000 UTC |
| 1820 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.496015699 +0000 UTC |
| 1819 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.495913378 +0000 UTC |
| 1818 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.495347778 +0000 UTC |
| 1817 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.495247694 +0000 UTC |
| 1816 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.495081549 +0000 UTC |
| 1815 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.494981388 +0000 UTC |
| 1814 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.49475985 +0000 UTC |
| 1813 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.494648326 +0000 UTC |
| 1812 | error | me/journalctl-error | | | | 2024-01-14 21:19:36.494476092 +0000 UTC |
+------+-------+---------------------+---------+----+-----------+-----------------------------------------+
My own advice would just make something together in bash scripting and cronjob it instead, all because you can do something with a software doesnt mean you should. However, let me know if you hit any errors.