Do we need a separate crowdsec agent running?

[apxcarter]

I'm new to crowdsec, but my understanding is that I need an agent running on the same machine/vm/container to consume logs and send alerts to the LAPI.

Does this also handle that for Caddy logs or is it just the bouncer? Do we need Caddy's logs set to a certain mode or anything?

[hslatman]

Hey @apxcarter,

This is just the Caddy bouncer, currently. I started looking at integrating the new App Sec component here, but I haven't had much time to think it all through, so that's not there yet.

You're right that you'll need the CrowdSec Agent running somewhere too; it's not launched as part of this Caddy bouncer, or something like that. It shouldn't be required to run it on the same machine as Caddy, as long as the logs can be read by the Agent. You could send the logs to the Agent using the syslog format, for example, although that probably requires some more configuration and testing to get right. Running it locally, or at least close (e.g. in a Docker container in the same network, potentially with a shared volume for the logs), probably is the easiest way to get started testing. There's some official docs for that part on the hub: https://app.crowdsec.net/hub/author/crowdsecurity/configurations/caddy-logs.

It's still on my list to improve usage examples, including how to configures logs, but I need to find some time 😅

[Simbiat]

Don't know if it will be of much use, but my project https://github.com/Simbiat/simbiat.ru has docker-compose.yml, env.example and config folder with what is required to setup FrankenPHP, CrowdSec and MariaDB. No a tutorial, yes, but should be mostly straightforward.