Crowdsec SYSLOG_IDENTIFIER is blind

[stephdl]

Steps to reproduce

• Install crowdsec
• check the log you can see some journald filtering

time="18-03-2024 11:33:58" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 SYSLOG_IDENTIFIER=dokuwiki2]" src="journalctl-SYSLOG_IDENTIFIER=dokuwiki2" type=journalctl

and for services

time="18-03-2024 11:33:58" level=info msg="Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=sshd.service]" src="journalctl-_SYSTEMD_UNIT=sshd.service" type=journalctl

Expected behavior

I expect that crowdsec is able to read log from journald Actual behavior

In fact SYSLOG_IDENTIFIER is no more used

[root@R4-pve ~]# journalctl SYSLOG_IDENTIFIER=mail1
-- No entries --
[root@R4-pve ~]# 

this drives that crowdsec is fully blind

we could uses the UID instead

journalctl _UID=$(id -u mail1)

Components ghcr.io/nethserver/crowdsec:1.0.6

See also https://mattermost.nethesis.it/nethesis/pl/pgogitpypfb57kyn5p56w13asc

---

thank davidep

[stephdl]

QA

Install crowdsec ghcr.io/nethserver/crowdsec:1.0.7-dev.1 Once installed the purpose is to be banned, you can do it by ssh to demonstrate it (think to allow the ban from the LAN if needed)

[nrauso]

test case: VERIFIED

[DavidePrincipi]

Released in https://github.com/NethServer/ns8-crowdsec/releases/tag/1.0.7