Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
tuto:monitoring:graylog_to_crowdsec [05/03/2021 18:39] dani [g2cs] |
tuto:monitoring:graylog_to_crowdsec [05/03/2021 19:19] (Version actuelle) rv [Background] |
||
---|---|---|---|
Ligne 3: | Ligne 3: | ||
===== Background ===== | ===== Background ===== | ||
- | Crowdsec' | + | Crowdsec' |
* I really like the idea behind the Journal (systemd-journald), | * I really like the idea behind the Journal (systemd-journald), | ||
* Let's assume we have 40 VM on which we'd like crowdsec agent running. This means something like 40x80MB = 3.2GB of RAM, just for crowdsec | * Let's assume we have 40 VM on which we'd like crowdsec agent running. This means something like 40x80MB = 3.2GB of RAM, just for crowdsec | ||
Ligne 97: | Ligne 97: | ||
You should now see logs flowing from Graylog, to crowdsec. I'm using this on a small graylog setup, ingesting about 400msg/sec, out of which ~200msg/sec are parsed by my single crowdsec install. I just have to install the bouncers where I want to react to all the agressive IP collected on all my servers | You should now see logs flowing from Graylog, to crowdsec. I'm using this on a small graylog setup, ingesting about 400msg/sec, out of which ~200msg/sec are parsed by my single crowdsec install. I just have to install the bouncers where I want to react to all the agressive IP collected on all my servers | ||
+ | |||
+ | ===== Run crowdsec with less privileges ===== | ||
+ | Bonus point : as crowdsec only access logs from the g2cs daemon, you can run both as a less privileged user, instead of root. First, create an unprivileged user | ||
+ | |||
+ | <code bash> | ||
+ | useradd -r -s / | ||
+ | </ | ||
+ | |||
+ | Now adapt the systemd unit for crowdsec, eg in / | ||
+ | |||
+ | <code ini> | ||
+ | Service] | ||
+ | User=g2cs | ||
+ | Group=g2cs | ||
+ | </ | ||
+ | |||
+ | And create a systemd unit for g2cs itself, / | ||
+ | |||
+ | <code ini> | ||
+ | [Unit] | ||
+ | Description=Graylog to Crowdsec syslog daemon | ||
+ | After=syslog.target | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | ExecStart=/ | ||
+ | User=g2cs | ||
+ | Group=g2cs | ||
+ | Restart=always | ||
+ | PrivateTmp=yes | ||
+ | PrivateDevices=yes | ||
+ | ProtectSystem=full | ||
+ | ProtectHome=yes | ||
+ | NoNewPrivileges=yes | ||
+ | SyslogIdentifier=g2cs | ||
+ | |||
+ | # Allow binding on privileged ports | ||
+ | CapabilityBoundingSet=CAP_NET_BIND_SERVICE | ||
+ | AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
+ | |||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ |