Okay, so I've re-read the Crowdsec docs a bit more carefully and Crowdsec can actually parse the logs directly from docker so a log file isn't necessary. I haven't actually go this to work yet but it seems it should. I will raise it as a question to the Crowdsec folks.
Edit:
In case anyone else needs this for Immich or any other docker logs a quick write up follows.
Pr-requisites:
- the dockersocket app from CA to proxy the docker socket
- a custom docker network that dockersocket and Crowdsec are on. Possibly Immich too as that is where I have it.
- Immich collection installed on Crowdsec
To enable Crowdsec to read from dockersocket you need to add the variable `INFO: 1` to the dockersocket container. Source.
In your Crowdsec aquis.yaml add:
source: docker
container_name:
- immich
labels:
type: immich
docker_host: tcp://dockersocket:2375
Source.
You will also need to whitelist some of the api calls. Create a new yaml file in /crowdsec/parsers/s02-enrich/
name: crowdsecurity/immich-whitelists
description: "Whitelist false positive from Immich-api"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
reason: "Whitelist false positive from Immich-api"
expression:
- evt.Parsed.traefik_router_name == 'immich@docker' && evt.Meta.http_verb == 'POST' && evt.Meta.http_status == '403' && evt.Parsed.request contains '/asset/upload'
- evt.Parsed.traefik_router_name == 'immich@docker' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '429' && evt.Parsed.request contains '/api/asset/thumbnail/'
- evt.Parsed.traefik_router_name == 'immich@docker' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '200' && evt.Parsed.request contains '/api/asset/thumbnail/'
- evt.Parsed.traefik_router_name == 'immich@docker' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '304' && evt.Parsed.request contains '/api/asset/thumbnail/'
Source.
Restart Crowdsec and Immich logs should be being parsed with no bans from using the mobile app.