Skip to main content
Version: v1.2

Journald

This module allows CrowdSec to acquire logs from journalctl files in one-shot and streaming mode.

Configuration example#

To monitor SSH logs from journald:

source: journalctljournalctl_filters: - _SYSTEMD_UNIT=ssh.service

Parameters#

journalctl_filters#

A list of journalctl filters. This is mandatory.

source#

Must be journalctl

DSN and command-line#

This module supports acquisition directly from the command line, to read journalctl logs in one shot.

A 'pseudo DSN' must be provided:

crowdsec -type syslog -dsn journalctl://filters=_SYSTEMD_UNIT=ssh.service&filters=_UID=42

You can specify the log_level parameter to change the log level for the acquisition :

crowdsec -type syslog -dsn journalctl://filters=MY_FILTER&filters=MY_OTHER_FILTER&log_level=debug