Hi all!

I’ll try to be quick but I apologise first as I am pretty new to security stuff and my questions might be obvious to the more experts.

I have a VPS (hetzner) set up with docker, caddy for the reverse proxy, and authentik as the only login method for a couple of services (hedgedoc and forgejo). Since most of these has to be available and accessible on the internet, I also setup crowdsec and built caddy with the relevant bouncer. This allows crowdsec to inspect the caddy logs for all the services I am serving through it and act accordingly. Edit: all the services are in docker containers.

So far, so good. However, I also saw that crowdsec can directly monitor container logs with the docker integration or through container labels. Also, I saw a couple of collections on crowdsec hub specifically for Authentik and Gitea.

I feel I am missing something so my question are:

1. Would it be useful to monitor container logs given my setup or would it be redundant?
2. Should I add the app-specific collections, or would docker logs monitoring be enough?

My current crowdsec collections

---

• crowdsecurity/linux
• crowdsecurity/appsec-generic-rules
• crowdsecurity/caddy
• crowdsecurity/whitelist-good-actors
• crowdsecurity/http-cve
• crowdsecurity/iptables

Edit: bonus question, does someone know if the Gitea collection would be useful for Forgejo after it being a hard-fork now?