Vector - Tag - arleo.euhttps://www.arleo.eu/en/tags/vector/Vector - Tag - arleo.euHugo -- gohugo.ioenWed, 15 Apr 2026 19:02:00 +0200CrowdSec Log Pipeline with Vector: Filtering Noise and Capturing Real Banshttps://www.arleo.eu/en/posts/crowdsec-vector-pipeline/Wed, 15 Apr 2026 19:02:00 +0200Jmrhttps://www.arleo.eu/en/posts/crowdsec-vector-pipeline/

⚡ In short

The initial Vector pipeline was flooding BetterStack with ~500 events/24h, of which 434 were CAPI pulls with no local monitoring value. This work reconfigures the Vector filter to keep only high-value bans (cscli) and fixes a major blind spot: actual nginx-lua bouncer bans were not appearing anywhere in BetterStack.

🧠 Why

This homelab’s security stack relies on three components working together:

  • nginx with the CrowdSec lua bouncer (lua-resty-crowdsec) for real-time request blocking
  • CrowdSec for threat detection and ban decision management
  • Vector centralizing logs to BetterStack for monitoring

After setting up the initial pipeline, two problems quickly became apparent. First, the signal was drowned in noise: out of 500 events/24h, 434 came from the hourly community CAPI pull and 66 from third-party lists — neither represents a threat detected on this infrastructure. Second, actual lua bouncer bans (real-time blocks in nginx) were not appearing anywhere in BetterStack, creating a blind spot on real security activity.

]]>Normalizing nginx and CrowdSec Logs in BetterStack with Vectorhttps://www.arleo.eu/en/posts/vector-logs-harmonisation-betterstack/Fri, 10 Apr 2026 21:04:00 +0200Jmrhttps://www.arleo.eu/en/posts/vector-logs-harmonisation-betterstack/

⚡ In short

Two problems coexisted in BetterStack: mcp-oauth.access.log logs arrived as unreadable raw JSON, and CrowdSec logs produced visual duplicates. This work normalizes all logs so they display as structured clickable tags, with correct timestamps and without parasitic fields.

🧠 Why

BetterStack displays logs as highlighted clickable tags in the Live Tail when JSON fields are properly structured. Before this work, observation was degraded on two fronts:

  • mcp-oauth.access.log logs arrived as unreadable raw JSON (custom format incompatible with Vector’s nginx parser) — fields nginx.client, nginx.path, nginx.status were not extracted
  • CrowdSec and CF WAF logs arrived as plain text with duplicates (Ban ban | ... | Ban ban)

The goal was to normalize all logs in BetterStack to display like standard nginx logs:

]]>