#The ban does not work

Hello everyone,
I just installed crowdsec and nginx proxy manager with docker and I wanted to test the ban but ca does not work. So here I am asking for help to understand the problem.
I followed this youtube tutorial https://youtu.be/qnviPAMwAuw for the setup.
There are two differences with me. First I prefer to have all volumes in the same directory that the file composes as shown below.
Secondly (and for me this is the cause of the problem) I configured docker in rootless mode to increase security. This means that the logs folders do not have all privileges.
Looking at logs, I see warnings:

level=warning msg="No matching files for pattern/var/log/nginx/*. log" type=file
level=warning msg="No matching files for pattern . /tests/nginx/nginx.log" type=file

Thank you to all who will take the time to help me

file composes :

services:
  nginx-proxy-manager:
    image: 'lepresidente/nginx-proxy-manager:latest'
    restart: always
    ports:
      - 8181:8181
      - 8080:8080
      - 4443:4443
    environment:
      TZ: Europe/Brussels
      DISABLE_IPV6: 1
    volumes:
      - "./data/nginx-proxy-manager:/config"
      - "./data/nginx-proxy-manager/crowdsec/templates:/templates:ro"
    networks:
      crowdsec_proxy:
        ipv4_address: 172.20.0.4

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    expose:
      - 8080
    environment:
      TZ: Europe/Brussels
      PGID: 1000
    volumes:
      - "./crowdsec/data:/var/lib/crowdsec/data"
      - "./crowdsec/config:/etc/crowdsec"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "/data/logs:/var/log/nginx:ro"
    restart: unless-stopped
    networks:
      crowdsec_proxy:
        ipv4_address: 172.20.0.6

networks:
  crowdsec_proxy:
    ipam:
      driver: default
      config:
        - subnet: 172.20.0.0/24

So from this compose you are mounted ./data/nginx-proxy-manager to /config within NPM, but for the logs mount on crowdsec you are mounting /data/logs wouldnt it need to be ./data/logs? or even ./data/nginx-proxy-manager/logs? but I dont know the structure of /config directory

I cannot currently access the computer to show you the structure. Here is the file composed of the video that is functional

version: "3.8"
services:
  nginx-proxy-manager:
    image: 'lepresidente/nginx-proxy-manager:latest'
    restart: always
    ports:
      - "8181:8181"
      - "8080:8080"
      - "4443:4443"
    environment:
      TZ: "America/New_York"
      DISABLE_IPV6: "1"
    volumes:
      - "/npm/data/nginx-proxy-manager:/config:rw"
      - "/npm/data/nginx-proxy-manager/crowdsec/templates:/templates:ro"
    networks:
      crowdsec_proxy:
        ipv4_address: 172.20.0.4


  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - "/npm/crowdsec/data:/var/lib/crowdsec/data"
      - "/npm/crowdsec/config:/etc/crowdsec"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "/data/logs:/var/log/nginx:ro"
    restart: unless-stopped
    networks:
      crowdsec_proxy:
        ipv4_address: 172.20.0.6

networks:
  crowdsec_proxy:
    ipam:
      driver: default
      config:
        - subnet: 172.20.0.0/24

I don’t think I miscalculated the volumes. However, since I am rootless, I have to create the elements/data and/var/log/auth.log myself to give the rights of no-root users

well if you exec into the crowdsec container and go to /var/log/nginx do you see any log files? if not then its a mount issue and nothing is passed to the crowdsec container

OK I will try as soon as I have access to the PC but it will not be right away

Hello. Indeed, there is no log. I have therefore changed /data/logs . /data/nginx-proxy-manager/logs to get the logs from the other container. I don’t know why it worked in the tutorial, maybe it is an old version.
Otherwise, I have another issue related to crowdsec mounting wants to access/var/log/auth.log but I’m on arch linux and there is no file. What is planned to be done on this distribution?

What is planned to be done on this distribution?
If you dont use rsyslog which arch maybe wont, you can simply pass the journald folder into crowdsec and use the journalctl datasource

this is presuming your arch install is using systemd

/var/log/journal/ is the folder

  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - "/npm/crowdsec/data:/var/lib/crowdsec/data"
      - "/npm/crowdsec/config:/etc/crowdsec"
      - "/var/log/journal/:/var/log/journal/:ro"
      - "/data/logs:/var/log/nginx:ro"

then if you got ssh it should be

# /npm/crowdsec/config/acquis.d/ssh.yaml
source: journalctl
journalctl_filter:
 - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

Thank you very much for your answer. I will try again when I have the opportunity

in any case, for information. I no longer have the log errors as before. I just have a little warning for updates and this error:

level=fatal msg="failed to update hub: failed http request for https://cdn-hub.crowdsec.net/crowdsecurity/master/.index.json?with_content=true: Get \"https://cdn-hub.crowdsec.net/crowdsecurity/master/.index.json?with_content=true\": dial tcp: lookup cdn-hub.crowdsec.net on 127.0.0.11:53: server misbehaving"

All other warnings sounds also related to 127.0.0.11:53

Now that I think about it, the test that was not going to ban manually my IP and that I could still access the site. Do I have another problem or could it be caused by a log issue?

This usually happens when you running a custom DNS server within docker and you set it to be exposed on all listeners EG: - 53:53

if you run cscli bouncers list does the api key have an ip address?

I tell you this tonight