#Crowdsec adding container automaticaly... No file wanted

Hello there,

I'm experiencing and issue with a docker configuration a long time ago, (it go back in 2022) I came here and asked : hey is there a way for crowdsec to access the log stream of my containers cause I really don't want to add every source manually...
Someone helped me with an acquis file of his own. With a regexp:

source: docker
container_name_regexp:
 - ^[a-zA-Z0-9.-]*$
labels:
  type: log_type  #now that I think about it this seems strange

So back then I was just using docker compose now I'm using docker swarm, had to learn it...

So back then I tried and was getting banned from my authelia with bad password so everything seems fine

I did a mistake in not testing after every update...
So somewhere along the way it stoped working...

First thing first I tried to add a character on my regexp cause swarm use the underscore _

source: docker
container_name_regexp:
 - ^[a-zA-Z0-9._-]*$
labels:
  type: log_type

Nothing change I asked my good friend google and change my acquis file like so :

source: docker
use_container_labels: true

Still no change...
And I can't find the documentation about the acquis file with all the options described...

Before you asked yes I mounted the docker sock with ro option on the crowdsec container (recently updated to v1.7.6-slim)

A little help would be appreciated... They Idea is to offer all to crowdsec and step up the security by adding security bits by bits only changing crowdsec config to read from that container too...

[EDIT]
So I tried something

source: docker
container_name_regexp:
 - ^[a-zA-Z0-9._-]*authelia[a-zA-Z0-9._-]*$ 
labels:
  type: authelia

Now my authelia is listed in the acquis is banned in thd decision and on my Iptable
Yet I can still continue to brute force and the count is still growing 😅

The doc is here: https://docs.crowdsec.net/docs/next/log_processor/data_sources/docker/#use_container_labels

If crowdsec is reading the logs properly and taking decisions, then it would point to an issue with your bouncer.
Which one are you using ?

So I wanted to edit again but saw the massage it was an issue about the delay between the decision and the application by the firewall bouncer... After a few minutes I got a blank page

I would have expected the traefik bouncer to block me first though... (I just change from the old deprecared one to the plugin one)

More thing to do but now I'm on the right track, but...

Now I would like to know if I need to explicitely declare all containers I want to be parsed or if I can list all typed of logs with someyhing like that:

source: docker
container_name_regexp:
  - ^[a-zA-Z0-9._-]*$
labels:
  types:
    - authelia
    - traefik
    - <any other one I would add>

[edit post reading the doc]
Thanks for the doc I searched for it honestly... But missed this page 😅

I will need to investiged those labels... I'm using compose files do deploy my containers... So if it's like traefik I should manage to simplify that quite easily

I'll keep open untill I tried those labels

🤘 YOU ROCK 🤘

You cannot specify multiple types per acquisition entry.

Yeah your best bet would be to use the containers labels, that way, you can have a single configuration in crowdsec, but still have something dynamic per container

Will definitly try that this evening thanks a lot i'll keep in touch to validate the solution 😉 but it seems to me that was what I was missing 😁

Yes... After a few restart of my stack service I have all working the cscli metrics show acquisitions show the 4 services I want... Now I can dig the "new feature"... App-sec/WAF

thanks again !

Resolving Crowdsec adding container automaticaly... No file wanted