C
CrowdSec2w ago
VirtuallyNuts

Authentik (docker) with remote crowdsec component on network

Trying to determine how to configure the Crowdsec components for Authentik log ingestion and point it to my existing Crowdsec server that already has logs feeding into it. Also curious on how to validate nginx logs are being ingested by the Crowdsec server i already have established.
7 Replies
CrowdSec
CrowdSec2w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus2w ago
You can use cscli metrics to see if the logs are read and parsed properly. If you are running 1.7, you can also use cscli machines inspect <MACHINE_NAME> (you can get the list of machines from cscli machines list ), it will display overall acquisition and parsing metrics
blotus
blotus2w ago
if authentik is running on another machine, the easiest is probably to simply install the log processor on it, configure it to read the logs, and point it to your existing LAPI server (you can use this as a reference https://docs.crowdsec.net/u/user_guides/multiserver_setup)
Documentation | CrowdSec
CrowdSec, the open-source & participative IPS
VirtuallyNuts
VirtuallyNutsOP2w ago
Thanks for this! I am used to setting up say nginx bouncer where it has a conf or yml file with input for an api key and secret to connect to the existing infrastructure, but the Authentik collection didn't appear to have anything like that
blotus
blotus2w ago
A collection only contains parsers and scenarios for crowdsec to understand a specific log format and be able to detect attacks in the logs: it has no notion of api key. You just need to install the collection with cscli: cscli collections install firix/authentik , configure crowdsec to read authentik logs by creating the file /etc/crowdsec/acquis.d/authentik.yaml with this content (assuming you want to read the logs directly from the authentik container and it is named authentik): 
source: docker
container_name:
 - authentik
labels:
  type: authentik
source: docker
container_name:
 - authentik
labels:
  type: authentik
Then restart crowdsec
VirtuallyNuts
VirtuallyNutsOP2w ago
Thanks! I have it setup this far, but i don't see it in the crowdsec web portal, so I am guessing its still missing a bouncer of some sort or some other connection to the existing infra Ah I got it! I didn't realize they needed to be registered as machines, the inspect helped me to validate their logs
CrowdSec
CrowdSec2w ago
Resolving Authentik (docker) with remote crowdsec component on network This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?