Hi all!
I’ll try to be quick but I apologise first as I am pretty new to security stuff and my questions might be obvious to the more experts.
I have a VPS (hetzner) set up with docker, caddy for the reverse proxy, and authentik as the only login method for a couple of services (hedgedoc and forgejo). Since most of these has to be available and accessible on the internet, I also setup crowdsec and built caddy with the relevant bouncer. This allows crowdsec to inspect the caddy logs for all the services I am serving through it and act accordingly. Edit: all the services are in docker containers.
So far, so good. However, I also saw that crowdsec can directly monitor container logs with the docker integration or through container labels. Also, I saw a couple of collections on crowdsec hub specifically for Authentik and Gitea.
I feel I am missing something so my question are:
- Would it be useful to monitor container logs given my setup or would it be redundant?
- Should I add the app-specific collections, or would docker logs monitoring be enough?
My current crowdsec collections
- crowdsecurity/linux
- crowdsecurity/appsec-generic-rules
- crowdsecurity/caddy
- crowdsecurity/whitelist-good-actors
- crowdsecurity/http-cve
- crowdsecurity/iptables
Edit: bonus question, does someone know if the Gitea collection would be useful for Forgejo after it being a hard-fork now?
I’m probably telling you wrong, but I’ve only been able to do the cs-blocklist-mirror and firewall-bouncer. There are a bunch of the scenarios that are remediation components. If you look at something like cs-cloudflare-worker-bouncer, well I don’t have a use for the cs-cloudflare-worker-bouncer remediation component, so that doesn’t get installed. Same for remediation components like cs-aws-waf-bouncer. So yes, there are unlimited remediation components, just not all will fit your use case. As I understand it, you can even write your own, tho I’ve not dabbled in that aspect.
If all you want to do is look at Docker logs and the occasional syslog, then I would think Dozzle to be quite capable in conjunction with something along the lines of lnav.