Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tuto:monitoring:graylog_to_crowdsec [05/03/2021 18:39]
dani [g2cs]
+++ tuto:monitoring:graylog_to_crowdsec [05/03/2021 19:12]
dani
@@ Ligne 97: / Ligne 97: @@
 You should now see logs flowing from Graylog, to crowdsec. I'm using this on a small graylog setup, ingesting about 400msg/sec, out of which ~200msg/sec are parsed by my single crowdsec install. I just have to install the bouncers where I want to react to all the agressive IP collected on all my servers
+===== Run crowdsec with less privileges =====
+Bonus point : as crowdsec only access logs from the g2cs daemon, you can run both as a less privileged user, instead of root. First, create an unprivileged user
+<code bash>
+useradd -r -s /sbin/nologin g2cs
+</code>
+Now adapt the systemd unit for crowdsec, eg in /etc/systemd/system/crowdsec.service.d/user.conf
+<code ini>
+Service]
+User=g2cs
+Group=g2cs
+</code>
+And create a systemd unit for g2cs itself, /etc/systemd/system/g2cs.service
+<code ini>
+[Unit]
+Description=Graylog to Crowdsec syslog daemon
+After=syslog.target
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/g2cs --port=514 --logdir=/run/g2cs/logs
+User=g2cs
+Group=g2cs
+Restart=always
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+SyslogIdentifier=g2cs
+# Allow binding on privileged ports
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+[Install]
+WantedBy=multi-user.target
+</code>