beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Remove documentation (#820)

Browse source 
Remove docs folder as it has been moved to a dedicated repository.
This commit is contained in:
blotus 2021-05-31 18:14:18 +02:00 committed by GitHub
parent f25d02a7c8
commit 3705c0be50
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
253 changed files with 9 additions and 18318 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -128,3 +128,12 @@ Or look directly at [installation documentation](https://doc.crowdsec.net/Crowds
This repository contains the code for the two main components of crowdsec :
- `crowdsec` : the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks
- `cscli` : the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.
## Contributing
If you wish to contribute to the core of crowdsec, you are welcome to open a PR in this repository.
If you wish to add a new parser, scenario or collection, please open a PR in the [hub repository](https://github.com/crowdsecurity/hub).
If you wish to contribute to the documentation, please open a PR in the [documentation repository](http://github.com/crowdsecurity/crowdsec-docs).

BIN
docs/assets/images/CS-simplified-treatment.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 164 KiB

BIN
docs/assets/images/blocker-installation.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.1 MiB

BIN
docs/assets/images/crowdsec2.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 63 KiB

BIN
docs/assets/images/crowdsec_architecture.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 110 KiB

BIN
docs/assets/images/crowdsec_install.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 975 KiB

BIN
docs/assets/images/crowdsec_logo.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 114 KiB

BIN
docs/assets/images/crowdsec_logo1.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/assets/images/cscli-metabase.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.7 MiB

BIN
docs/assets/images/dashboard_view.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 126 KiB

BIN
docs/assets/images/dashboard_view2.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 160 KiB

BIN
docs/assets/images/forensic-mode.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 7.8 MiB

BIN
docs/assets/images/grafana_details.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 234 KiB

BIN
docs/assets/images/grafana_insight.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 92 KiB

BIN
docs/assets/images/grafana_overview.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 273 KiB

BIN
docs/assets/images/out-of-the-box-protection.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 1 MiB

152
docs/contributing.md
View file

@ -1,152 +0,0 @@
# Contributing
You have an idea, a suggestion or you spotted a mistake ?
Help us improve the software and the user experience, to make the internet a safer place together !
## Contributing to the documentation
If you spotted some mistakes in the documentation or have improvement suggestions, you can :
- open a {{v1X.doc.new_issue}} if you are comfortable with github
- let us know on {{v1X.doc.discourse}} if you want to discuss about it
Let us as well know if you have some improvement suggestions !
<details>
<summary>Preview your documentation changes locally</summary>
```bash
python3 -m venv cs-env
source cs-env/bin/activate
pip install -r docs/requirements.txt
mkdocs serve
```
</details>
## Contributing to the code
- If you want to report a bug, you can use [the github bugtracker]({{v1X.crowdsec.bugreport}})
- If you want to suggest an improvement you can use either [the github bugtracker]({{v1X.crowdsec.bugreport}}) or the {{v1X.doc.discourse}} if you want to discuss
## Contributing to the parsers/scenarios
If you want to contribute your parser or scenario to the community and have them appear on the {{v1X.hub.htmlname}}, you should [open a merge request](https://github.com/crowdsecurity/hub/pulls) on the hub.
We are currently working on a proper [CI](https://en.wikipedia.org/wiki/Continuous_integration) for the {{v1X.hub.htmlname}}, so for now all contribution are subject to peer-review, please bear with us !
## Contacting the team
If you want to contact us using non-public media, you can contact us on `support` AT `crowdsec` DOT `net` with the following gpg-key :
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBF+VOSUBDADP6bxKDv88CdLBNhQMFNI37LE82vyfIAQmrGszON1m1EtL/LSQ
b/vC9mmlkUmJHM+bdxJ0BSl/xlWwrXjHVpaZNoluQDngVUe62cybN4tpFCvtVTMr
lo4Y0UhETgOmBFxaQLVd7Xc/jaSZGoHtSzh9hpGHg9pKrcYviG0MR173JYQfilw3
L8yJ+K/oUUpvh2MRRwXiCNUVLtTppb7oxlcdExb0Px2PcaC34e/M30xFwiu7VJFj
0D7IIdKs6gvZuqwkNSUBF8/jtuzzM/YGzJHIdvOj15z+81/o/e6p3xvY/IKmyXC/
1FMD8f4g5T/5fNDVq6QgJLel/g0bJ+kG75ccXfY45xKFo/YhdQ2Wg9JQX5Yjc5k7
5AI0iuJjatXlym2Ek1niPEqR5H0C/KXFG4mPyCu9wzJu11jtY34e5TNYl9DA31F6
81BbMmVFg4EbhYSN/2DuxpCvt2qQpk33bmdT7tFWcd2hYB/bSq2f8+K6ho50Sqwk
PK68LNZzi5ZXqGEAEQEAAbQnQ3Jvd2RTZWMgc3VwcG9ydCA8c3VwcG9ydEBjcm93
ZHNlYy5uZXQ+iQHUBBMBCgA+FiEEpRXNfWM+DON/Satp2MpQXYwzLTEFAl+VOSUC
GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ2MpQXYwzLTEhuwwA
wWdsuSrTC4ryVOYnfHRcT2b/rfbJXIUYXqAy75qsdUGwvueYdYSBMCMXqRB65J+J
juofCF0kTQKuhjtyJezwUfr5C+Sd08JWlZwf9F7CO83/ztLOPIUUp69H3m9heW7C
+A/Lpq3epALytC/QSkDHYnKBBZbLhoR/7WXhdLFvh+A475/ggn4GAOnZMg8WULpR
Kisu1GbEBPcVr1Xl6VTYVX5ghA/1W2WTY/NxAcLhCiJO/ENeka7xy4EKdCE5pDxM
QO/fnpCHsWDIHTxpCx+JAhdkb2BIvzSiF2+o+9y+vwzcPxdGemx7y8MjSGXIp1xp
TJparq309nljh+wqI6w/K+NjzNn/qJL0tpGqiHQXtYDbi86KaAXT9IYCGAIP36w8
XUHYGgo0s6zMEP1NEFHWAgGy5elO403vm+NO5vpHv59FTjgoK2UcjeSjqtAYwzvc
bWQ6wZHwhoqD0WevFcAMmgdbebyOdPoA7+8eCPnkjER4eKxE23ffFU75HDuQNRYk
uQGNBF+VOSUBDADNHEm33IcwhO+uJQxjKtcF0DdAMqbjU5cXxeryo1i7A1WkTH5/
wHfyJAmtLrY4abkQ1LEJ4bMYKdJz2vmvWq0fKCAXC18yLnxU+l0Ld4tWME8hJ/Wh
p+aePsW5BdLpHQeqmQ5MCsw1cZllbURcee22hLJ/PIM2bRsZp7goSj4wXBFjhJyq
EepVmasI17dBbIBFWBSSIJW4UnSBk+Zqbj6C6PDmsket68qcEebsqduWXPxegAzh
IIFD2qhC5t+nn5i+hPwKZN5ZYLQJeAjI4Z7wi3FIBZCzZ214421BbohxPo+GKkFp
mUQ7ZrIa+goHXAcj6ZHMeNNP0lsJRl91lK6NVu3p+Ygl0+wbMOAqDRguMfFdbnV8
gcoYpAyk4YFCfgVQLuKGaYcGjcMP8+nZnPsbaTwbUKkjDAUo+JGmrB4XyAQPugZq
TiUN+lYgTs0cJALEQkKTh2w10TPyV6/YsYDSSnwJeVDIpNCQVg5EB0eRvhaCs9fd
dVni1C5RMcb+Q4MAEQEAAYkBvAQYAQoAJhYhBKUVzX1jPgzjf0mradjKUF2MMy0x
BQJflTklAhsMBQkDwmcAAAoJENjKUF2MMy0xkIcL/johqZbyHskQIaTfQUgASbbu
bdLXSrIkB8Ort9WULxdqs8hveFy6RjXFJWFitFHk46Bj6FJ1ZykfozL+k9uOGrL9
lBk1e3bhqMVhW1o00DufgawNU2FU9NuH/rCuGpum9DE0cc1fFmQ3pjeiHV55GYxr
BGuyyals1ORwK06h+1VFMHrGB12SR7Imgo7FWuexhgLyOK4t1MXg3E4h72qaowpj
5B45qG9jUXgIFKR1D8G8tPeDYLbd37pskNDFozzfAe/H2fqmEjQxMLHrk7J8I3wQ
FPvKIvUF8M3NqZjyaFSiisOn32AS3RAsI8RuD4T2XgpE2L6e29u3RpJkvhPbcAN6
w0W8yw3z1/2uHSvYbwoH1cn4akAikYR9aVVHv86AvNlr0BguqWdzEfiGT6mcJ/hH
2sGQJ1nJRgGpAlx/2HpsLJxhJwLVbXSDSk6Bu2T9G/VIda95niVgq6MfE9GSS+MS
ucVcwqjIXn/9V6+pFZ11soXNKuTk4Wx+uO2r/i5bVA==
=Edl+
-----END PGP PUBLIC KEY BLOCK-----
```
## Publishing bouncers
We do welcome bouncers from the community, and will gladly publish them on the hub.
### Why ?
Sharing your bouncer on the hub allows other users to find it and use it. While increasing your code's visibility, it ensures as well a benevolent look from the community and the team over it.
### How ?
To have your bouncer published on the hub, please simply [open a new issue on the hub](https://github.com/crowdsecurity/hub/issues/new), requesting "bouncer inclusion". The bouncer will then be reviewed by the team, and then will be published directly on the hub, for everyone to find & use it !
The information that should be stated in your issue are :
- The source repository of your bouncer (for example `https://github.com/crowdsecurity/cs-firewall-bouncer/`)
- The software licence used
- The current status of the bouncer (stage : dev/unstable/stable)
- Documentation (can be simply in the README.md) :
- must contains : installing, uninstalling
- should contains : configuration documentation
- Link to existing tests if applicable (functional tests or unit tests)
Please take care of the following :
- Ensure your repository has a About/Short description meaningful enough : it will be displayed in the hub
- Ensure your repository has a decent README.md file : it will be displayed in the hub
- Ensure your repository has *at least* one release : this is what users will be looking for
- (ideally) Have a "social preview image" on your repository : this will be displayed in the hub when available
- (ideally) A Howto or link to guide that provides a hands-on experience with the bouncer
Please find below a template :
```markdown
Hello,
I would like to suggest the addition of the `XXXX` to the hub :
- Source repository: https://github.com/xxx/xxx/
- Licence : MIT
- Current status : stable (has been used in production for a while)
- README/doc : https://github.com/xxx/xxx/blob/main/README.md
- Existing tests :
- functional tests : https://github.com/xxx/xxx/blob/main/.github/workflows/tests.yml
- Short/Long description : OK
- Howto : in README
- At least one release : yes
```
## Publishing parsers, scenarios and collections
### Why ?
Sharing your parsers, scenarios and collections on the hub allows other users to find it and use it. While increasing your code's visibility, it ensures as well a benevolent look from the community and the team over it.
### How ?
To have your parser/scenario published on the hub, please simply [open a new issue on the hub](https://github.com/crowdsecurity/hub/issues/new), requesting "parser/scenario inclusion". The configurations will then be reviewed by the team, and then will be published directly on the hub, for everyone to find & use it !

232
docs/faq.md
View file

@ -1,232 +0,0 @@
# FREQUENTLY ASKED QUESTIONS
## What is {{v1X.crowdsec.name}} ?
{{v1X.crowdsec.Name}} is a security open-source software. See the [overview](/#what-is-crowdsec).
## I've installed crowdsec, it detects attacks but doesn't block anything ?!
Yes, {{v1X.crowdsec.Name}} is in charge of detecting attacks, and {{v1X.bouncers.htmlname}} are applying decisions.
If you want to block the detected IPs, you should deploy a bouncer, such as the ones found on the [hub](https://hub.crowdsec.net/browse/#bouncers) !
## What language is it written in ?
{{v1X.crowdsec.Name}} is written in [Golang](https://golang.org/).
## What licence is {{v1X.crowdsec.name}} released under ?
{{v1X.crowdsec.Name}} is under [MIT license]({{v1X.crowdsec.url}}/blob/master/LICENSE).
## Which information is sent to the APIs ?
Our aim is to build a strong community that can share malevolent attackers IPs, for that we need to collect the bans triggered locally by each user.
The signal sent by your {{v1X.crowdsec.name}} to the central API only contains only meta-data about the attack :
- Attacker IP
- Scenario name
- Time of start/end of attack
Your logs are not sent to our central API, only meta-data about blocked attacks will be.
When pulling block-lists from the platform, the following information is shared as well :
- list of [upstream installed scenarios](https://crowdsecurity.github.io/api_doc/index.html?urls.primaryName=CAPI#/watchers/post_metrics)
- list of [bouncers & number of machines](https://crowdsecurity.github.io/api_doc/index.html?urls.primaryName=CAPI#/watchers/post_metrics)
## What is the performance impact ?
As {{v1X.crowdsec.name}} only works on logs, it shouldn't impact your production.
When it comes to {{v1X.bouncers.name}}, it should perform **one** request to the database when a **new** IP is discovered thus have minimal performance impact.
## How fast is it ?
{{v1X.crowdsec.name}} can easily handle several thousands of events per second on a rich pipeline (multiple parsers, geoip enrichment, scenarios and so on). Logs are a good fit for sharding by default, so it is definitely the way to go if you need to handle higher throughput.
If you need help for large scale deployment, please get in touch with us on the {{v1X.doc.discourse}}, we love challenges ;)
## What backend database does {{v1X.crowdsec.Name}} supports and how to switch ?
{{v1X.crowdsec.name}} versions (under v0.3.X) supports SQLite (default) and MySQL databases.
See [backend configuration](/Crowdsec/v0/references/output/#switching-backend-database) for relevant configuration. MySQL here is more suitable for distributed architectures where bouncers across the applicative stack need to access a centralized ban database.
{{v1X.crowdsec.name}} versions (after v1) supports SQLite (default), MySQL and PostgreSQL databases.
See [databases configuration](/Crowdsec/v1/user_guide/database/) for relevant configuration. Thanks to the {{v1X.lapi.Htmlname}}, distributed architectures are resolved even with sqlite database.
SQLite by default as it's suitable for standalone/single-machine setups.
## How to control granularity of actions ? (whitelists, simulation etc.)
{{v1X.crowdsec.name}} support both [whitelists](/Crowdsec/v1/write_configurations/whitelist/) and [simulation](/Crowdsec/v1/references/simulation/) :
- Whitelists allows you to "discard" events or overflows
- Simulation allows you to simply cancel the decision that is going to be taken, but keep track of it
{{v1X.profiles.htmlname}} allows you to control which decision will be applied to which alert.
## How to know if my setup is working correctly ? Some of my logs are unparsed, is it normal ?
Yes, crowdsec parsers only parse the logs that are relevant for scenarios :)
Take a look at `cscli metrics` [and understand what do they mean](/Crowdsec/v1/getting_started/crowdsec-tour/#reading-metrics) to know if your setup is correct.
## How to add whitelists ?
You can follow this [guide](/Crowdsec/v1/write_configurations/whitelist/)
## How to set up proxy ?
Setting up a proxy works out of the box, the [net/http golang library](https://golang.org/src/net/http/transport.go) can handle those environment variables:
* `HTTP_PROXY`
* `HTTPS_PROXY`
* `NO_PROXY`
For example:
```
export HTTP_PROXY=http://<proxy_url>:<proxy_port>
```
### Systemd variable
On Systemd devices you have to set the proxy variable in the environment section for the CrowdSec service. To avoid overwriting the service file during an update, a folder is created in `/etc/systemd/system/crowdsec.service.d` and a file in it named `http-proxy.conf`. The content for this file should look something like this:
```
[Service]
Environment=HTTP_PROXY=http://myawesomeproxy.com:8080
Environment=HTTPS_PROXY=https://myawesomeproxy.com:443
```
After this change you need to reload the systemd daemon using:
`systemctl daemon-reload`
Then you can restart CrowdSec like this:
`systemctl restart crowdsec`
### Sudo
If you use `sudo` {{v1X.cli.name}}, just add this line in `visudo` after setting up the previous environment variables:
```
Defaults env_keep += "HTTP_PROXY HTTPS_PROXY NO_PROXY"
```
## How to report a bug ?
To report a bug, please open an issue on the [repository]({{v1X.crowdsec.bugreport}}).
## What about false positives ?
Several initiatives have been taken to tackle the false positives approach as early as possible :
- The scenarios published on the hub are tailored to favor low false positive rates
- You can find [generic whitelists](https://hub.crowdsec.net/author/crowdsecurity/collections/whitelist-good-actors) that should allow to cover most common cases (SEO whitelists, CDN whitelists etc.)
- The [simulation configuration](/Crowdsec/v1/references/simulation/) allows you to keep a tight control over scenario and their false positives
## I need some help
Feel free to ask for some help to the {{v1X.doc.discourse}} or directly in the {{v1X.doc.gitter}} chat.
## How to use crowdsec on raspberry pi OS (formerly known as rasbian)
Please keep in mind that raspberry pi OS is designed to work on all
raspberry pi versions. Even if the port target is known as armhf, it's
not exactly the same target as the debian named armhf port.
The best way to have a crowdsec version for such an architecture is to
do:
1. install golang (all versions from 1.13 will do)
2. `export GOARCH=arm`
3. `export CGO=1`
4. Update the GOARCH variable in the Makefile to `arm`
5. install the arm gcc cross compilator (On debian the package is gcc-arm-linux-gnueabihf)
6. Compile crowdsec using the usual `make` command
## How to have a dashboard without docker
`cscli dashboard` rely on [`docker`](https://docs.docker.com/) to launch the `metabase` image. If `docker` is not installed on your machine, here are the step to follow to get crowdsec dashboards without docker:
- Download Metabase `jar` file. See [metabase documentation](https://www.metabase.com/docs/latest/operations-guide/running-the-metabase-jar-file.html).
- Download the `metabase.db` folder from Crowdsec [here](https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip).
- Unzip the `zip` file:
```bash
unzip metabase_sqlite.zip
```
- Make crowdsec database reachable from metabase :
```bash
sudo mkdir /metabase-data/
sudo ln -s /var/lib/crowdsec/data/crowdsec.db /metabase-data/crowdsec.db
```
- Launch Metabase:
```bash
sudo MB_DB_TYPE=h2 MB_DB_FILE=<absolute-path>/metabase.db/metabase.db java -jar metabase.jar
```
!!! warning
The default username is `crowdsec@crowdsec.net` and the default password is `!!Cr0wdS3c_M3t4b4s3??`. Please update the password when you will connect to metabase for the first time
You can as well check [liberodark's helper script for it](https://github.com/liberodark/crowdsec-dashboard).
## How to configure crowdsec/cscli to use Tor
It is possible to configure `cscli` and `crowdsec` to use [tor](https://www.torproject.org/) to anonymously interact with our API.
All (http) requests made to the central API to go through the [tor network](https://www.torproject.org/).
With tor installed, setting `HTTP_PROXY` and `HTTPS_PROXY` environment variables to your socks5 proxy will do the trick.
### Running the wizard with tor
```bash
$ sudo HTTPS_PROXY=socks5://127.0.0.1:9050 HTTP_PROXY=socks5://127.0.0.1:9050 ./wizard.sh --bininstall
```
!!! warning
Do not use the wizard in interactive (`-i`) mode if you're concerned, as it will start the service at the end of the setup, leaking your IP address.
### Edit crowdsec systemd unit to push/pull via tor
```bash
[Service]
Environment="HTTPS_PROXY=socks5://127.0.0.1:9050"
Environment="HTTP_PROXY=socks5://127.0.0.1:9050"
...
```
### Using cscli via tor
```bash
$ sudo HTTP_PROXY=socks5://127.0.0.1:9050 HTTPS_PROXY=socks5://127.0.0.1:9050 cscli capi register
```
<!--
## What are common use-cases ?
**TBD**
## What about false positives ?
**TBD**
## How to test if it works ?
**TBD**
## Who are you ?
**TBD**
-->

41
docs/index.md
View file

@ -1,41 +0,0 @@
<center>[[Hub]]({{v1X.hub.url}}) [[Releases]]({{v1X.crowdsec.download_url}})</center>
!!! warning
For crowdsec versions `<= 1.0` please refer to [v0.3.X](/Crowdsec/v0/)
For crowdsec versions `>= 1.0` please refer to [v1.X](/Crowdsec/v1/)
# What is {{v1X.crowdsec.Name}} ?
[{{v1X.crowdsec.Name}}]({{v1X.crowdsec.url}}) is an open-source and lightweight software that allows you to detect peers with malevolent behaviors and block them from accessing your systems at various level (infrastructural, system, applicative).
To achieve this, {{v1X.crowdsec.Name}} reads logs from different sources (files, streams ...) to parse, normalize and enrich them before matching them to threats patterns called scenarios.
{{v1X.crowdsec.Name}} is a modular and plug-able framework, it ships a large variety of [well known popular scenarios](https://hub.crowdsec.net/browse/#configurations); users can choose what scenarios they want to be protected from as well as easily adding new custom ones to better fit their environment.
Detected malevolent peers can then be prevented from accessing your resources by deploying [bouncers]({{v1X.hub.bouncers_url}}) at various levels (applicative, system, infrastructural) of your stack.
One of the advantages of Crowdsec when compared to other solutions is its crowd-sourced aspect : Meta information about detected attacks (source IP, time and triggered scenario) are sent to a central API and then shared amongst all users.
Thanks to this, besides detecting and stopping attacks in real time based on your logs, it allows you to preemptively block known bad actors from accessing your information system.
## Main features
{{v0X.crowdsec.Name}}, besides the core "detect and react" mechanism, is committed to a few other key points :
- **Easy Installation** : The provided wizard allows a [trivial deployment](/Crowdsec/v1/getting_started/installation/#using-the-interactive-wizard) on most standard setups
- **Easy daily operations** : Using [cscli](/Crowdsec/v1/cscli/cscli_upgrade/) and the {{v0X.hub.htmlname}}, keeping your detection mechanisms up-to-date is trivial
- **Reproducibility** : Crowdsec can run not only against live logs, but as well against cold logs. It makes it a lot easier to detect potential false-positives, perform forensic ou generate reporting
- **Observability** : Providing strongs insights on what is going on and what {{v0X.crowdsec.name}} is doing :
- Humans have [access to a trivially deployable web interface](/Crowdsec/v1/observability/dashboard/)
- OPs have [access to detailed prometheus metrics](/Crowdsec/v1/observability/prometheus/)
- Admins have [a friendly command-line interface tool](/Crowdsec/v1/observability/command_line/)
## About this documentation
This document is split according to major {{v1X.crowdsec.Name}} versions :
- [Crowdsec v0](/Crowdsec/v0/) Refers to versions `0.3.X`, before the local API was introduced. (_note: this is going to be deprecated and your are strongly incited to migrate to versions 1.X_)
- [Crowdsec v1](/Crowdsec/v1/) Refers to versions `1.X`, it is the current version

27
docs/requirements.txt
View file

@ -1,27 +0,0 @@
click==7.1.1
future==0.18.2
Jinja2==2.11.3
joblib==0.14.1
livereload==2.6.1
lunr==0.5.6
Markdown==3.2.1
MarkupSafe==1.1.1
mkdocs==1.1
mkdocs-macros-plugin==0.4.18
mkdocs-material==6.1.0
mkdocs-material-extensions==1.0.1
mkdocs-monorepo-plugin==0.4.11
mkdocs-redirects==1.0.1
nltk==3.5b1
prompt-toolkit==2.0.10
Pygments==2.7.4
pymdown-extensions==7.0
python-markdown-math==0.6
PyYAML==5.4
regex==2020.2.20
repackage==0.7.3
six==1.14.0
termcolor==1.1.0
tornado==6.0.4
tqdm==4.43.0
wcwidth==0.1.9

BIN
docs/v0.3.X/docs/assets/images/blocker-installation.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 2 MiB

BIN
docs/v0.3.X/docs/assets/images/crowdsec2.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 63 KiB

BIN
docs/v0.3.X/docs/assets/images/crowdsec_architecture.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
docs/v0.3.X/docs/assets/images/crowdsec_install.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 1.8 MiB

BIN
docs/v0.3.X/docs/assets/images/crowdsec_logo1.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/v0.3.X/docs/assets/images/cscli-metabase.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 3.7 MiB

BIN
docs/v0.3.X/docs/assets/images/dashboard_view.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 126 KiB

BIN
docs/v0.3.X/docs/assets/images/dashboard_view2.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 160 KiB

BIN
docs/v0.3.X/docs/assets/images/grafana_details.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 234 KiB

BIN
docs/v0.3.X/docs/assets/images/grafana_insight.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 92 KiB

BIN
docs/v0.3.X/docs/assets/images/grafana_overview.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 273 KiB

BIN
docs/v0.3.X/docs/assets/images/out-of-the-box-protection.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 691 KiB

12
docs/v0.3.X/docs/bouncers/index.md
View file

@ -1,12 +0,0 @@
# bouncers
{{v0X.bouncers.Name}} are standalone software pieces in charge of acting upon blocked IPs.
They can either within the applicative stack, or work out of band :
[nginx blocker](https://github.com/crowdsecurity/cs-nginx-blocker) will check every unknown IP against the database before letting go through or serving a *403* to the user, while a [netfilter blocker](https://github.com/crowdsecurity/cs-netfilter-blocker) will simply "add" malevolent IPs to nftables/ipset set of blacklisted IPs.
You can explore [available {{v0X.bouncers.name}} on the hub]({{v0X.hub.plugins_url}}), and find below a few of the "main" {{v0X.bouncers.name}} :

87
docs/v0.3.X/docs/cheat_sheets/ban-mgmt.md
View file

@ -1,87 +0,0 @@
!!! info
Please see your local `{{v0X.cli.bin}} help ban` for up-to-date documentation.
## List bans
```bash
{{v0X.cli.bin}} ban list
```
<details>
<summary>example</summary>
```bash
bui@sd:~$ cli ban list
4 local decisions:
+--------+----------------+----------------------+------+--------+---------+--------------------------------+--------+------------+
| SOURCE | IP | REASON | BANS | ACTION | COUNTRY | AS | EVENTS | EXPIRATION |
+--------+----------------+----------------------+------+--------+---------+--------------------------------+--------+------------+
| cli | 1.1.1.1 | spammer | 1 | ban | | | 0 | 23h59m58s |
| local | 2.2.2.2 | crowdsecurity/ssh-bf | 1 | ban | FR | 3215 Orange | 6 | 3h7m30s |
| local | 3.3.3.3 | crowdsecurity/ssh-bf | 1 | ban | US | 3266 Joao Carlos de Almeida | 6 | 57m17s |
| | | | | | | Silveira trading as Bitcanal | | |
| local | 4.4.4.4 | crowdsecurity/ssh-bf | 1 | ban | FR | 15557 SFR SA | 6 | 5m11s |
+--------+----------------+----------------------+------+--------+---------+--------------------------------+--------+------------+
And 64 records from API, 32 distinct AS, 19 distinct countries
```
</details>
- `SOURCE` is the source of the decision :
- "local" : the decision has been taken by {{v0X.crowdsec.name}}
- "cli" : the decision has been made with {{v0X.cli.name}} (ie. `{{v0X.cli.name}} ban ip 1.2.3.4 24h "because"`)
- "api" : the decision has been pushed to you by the API (because there is a consensus about this ip)
- `IP` is the IP or the IP range impacted by the decision
- `REASON` is the scenario that was triggered (or human-supplied reason)
- `BANS` is the number of "active" remediation against this IP
- `COUNTRY` and `AS` are provided by GeoIP enrichment if present
- `EXPIRATION` is the time left on remediation
Check [command usage](/Crowdsec/v0/cscli/cscli_ban_list/) for additional filtering and output control flags.
## Delete a ban
> delete the ban on IP `1.2.3.4`
```bash
{{v0X.cli.bin}} ban del ip 1.2.3.4
```
> delete the ban on range 1.2.3.0/24
```bash
{{v0X.cli.bin}} ban del range 1.2.3.0/24
```
## Add a ban manually
> Add a ban on IP `1.2.3.4` for 24 hours, with reason 'web bruteforce'
```bash
{{v0X.cli.bin}} ban add ip 1.2.3.4 24h "web bruteforce"
```
> Add a ban on range `1.2.3.0/24` for 24 hours, with reason 'web bruteforce'
```bash
{{v0X.cli.bin}} ban add range 1.2.3.0/24 "web bruteforce"
```
## Flush all existing bans
> Flush all the existing bans
```bash
{{v0X.cli.bin}} ban flush
```
!!! warning
This will as well remove any existing ban

115
docs/v0.3.X/docs/cheat_sheets/config-mgmt.md
View file

@ -1,115 +0,0 @@
{{v0X.cli.bin}} allows you install, list, upgrade and remove configurations : parsers, enrichment, scenarios.
!!! warning
If you're not running the latest CrowdSec version, configurations might not be the latest available. `cscli` will use the branch of the corresponding CrowdSec version to download and install configurations from the hub (it will use the `master` branch if you are on the latest CrowdSec version).
The various parsers, enrichers and scenarios installed on your machine makes a coherent ensemble to provide detection capabilities.
_Parsers, Scenarios and Enrichers are often bundled together in "collections" to facilitate configuration._
Parsers, scenarios, enrichers and collections all follow the same principle :
- `{{v0X.cli.bin}} install parser crowdsec/nginx-logs`
- `{{v0X.cli.bin}} update collection crowdsec/base-http-scenarios`
- `{{v0X.cli.bin}} remove scenario crowdsec/mysql-bf`
> Please see your local `{{v0X.cli.bin}} help` for up-to-date documentation
## List configurations
```
{{v0X.cli.bin}} list
```
**note** `-a` allows for listing of uninstalled configurations as well
<details>
<summary>{{v0X.cli.name}} list example</summary>
```bash
$ {{v0X.cli.bin}} list
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers
INFO[0000] PARSERS:
--------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------------------------------------------------------------------------------------
crowdsec/nginx-logs ✔️ enabled 0.3 /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
crowdsec/geoip-enrich ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/geoip-enrich.yaml
crowdsec/syslog-logs ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml
crowdsec/whitelists ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/whitelists.yaml
crowdsec/http-logs ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/http-logs.yaml
crowdsec/dateparse-enrich ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/dateparse-enrich.yaml
--------------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:
-----------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------------
crowdsec/http-scan-uniques_404 ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/http-scan-uniques_404.yaml
crowdsec/http-crawl-non_statics ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/http-crawl-non_statics.yaml
-----------------------------------------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:
-------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------------------
crowdsec/linux ✔️ enabled 0.2 /etc/crowdsec/config/collections/linux.yaml
crowdsec/nginx ✔️ enabled 0.2 /etc/crowdsec/config/collections/nginx.yaml
crowdsec/base-http-scenarios ✔️ enabled 0.1 /etc/crowdsec/config/collections/base-http-scenarios.yaml
-------------------------------------------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:
--------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------
--------------------------------------
```
</details>
For {{v0X.parsers.htmlname}}, {{v0X.scenarios.htmlname}}, {{v0X.collections.htmlname}} the outputs include, beside the version, the path and the name, a `STATUS` column :
- `✔️ enabled` : configuration is up-to-date
- `⚠️ enabled,outdated` : a newer version is available
- `🚫 enabled,local` : configuration is not managed by {{v0X.cli.name}}
- `⚠️ enabled,tainted` : configuration has been locally modified
(see `{{v0X.cli.name}} upgrade` to upgrade/sync your configurations with {{v0X.hub.htmlname}})
## Install new configurations
`{{v0X.cli.bin}} install parser|scenario|postoverflow <name> [--force]`
- `{{v0X.cli.bin}} install parser crowdsec/nginx-logs`
- `{{v0X.cli.bin}} install scenario crowdsec/http-scan-uniques_404`
## Remove configurations
`{{v0X.cli.bin}} remove parser|scenario|postoverflow <name> [--force]`
## Upgrade configurations
> upgrade a specific scenario
```
{{v0X.cli.bin}} upgrade scenario crowdsec/http-scan-uniques_404
```
> upgrade **all** scenarios
```
{{v0X.cli.bin}} upgrade scenario --all
```
> upgrade **all** configurations (parsers, scenarios, collections, postoverflows)
```
{{v0X.cli.bin}} upgrade --all
```

127
docs/v0.3.X/docs/cheat_sheets/debugging_configs.md
View file

@ -1,127 +0,0 @@
# Debugging Scenarios and Parsers
## General Advice
When trying to debug a parser or a scenario :
- Work on "cold logs" (with the `-file` and `-type` options) rather than live ones
- Use the `/etc/crowdsec/config/user.yaml` configuration files to have logs on stdout
## Using user-mode configuration
```bash
crowdsec -c /etc/crowdsec/config/user.yaml -file mylogs.log.gz -type syslog
INFO[05-08-2020 16:15:47] Crowdsec v0.3.0-rc3-7525f11975a0107746213862dc41c69e00122ac7
INFO[05-08-2020 16:15:47] Loading grok library
...
WARN[05-08-2020 16:16:12] 182.x.x.x triggered a 4h0m0s ip ban remediation for [crowdsecurity/http-probing] bucket_id=misty-moon event_time="2019-01-01 22:58:32 +0100 CET" scenario=crowdsecurity/http-probing source_ip=182.x.x.x
...
```
- `/etc/crowdsec/config/user.yaml` disables demonization and push logs to stdout/stderr
- `-type` must respect expected log type (ie. `nginx` `syslog` etc.)
- `-file` must point to a flat file or a gzip file
When processing logs like this, {{v0X.crowdsec.name}} runs in "time machine" mode, and relies on the timestamps *in* the logs to evaluate scenarios. You will most likely need the `crowdsecurity/dateparse-enrich` parser for this.
## Testing configurations on live system
If you're playing around with parser/scenarios on a live system, you can use the `-t` (lint) option of {{v0X.crowdsec.Name}} to check your configurations validity before restarting/reloading services :
```bash
$ emacs /etc/crowdsec/config/scenarios/ssh-bf.yaml
...
$ crowdsec -c /etc/crowdsec/config/user.yaml -t
INFO[06-08-2020 13:36:04] Crowdsec v0.3.0-rc3-4cffef42732944d4b81b3e62a03d4040ad74f185
...
ERRO[06-08-2020 13:36:05] Bad yaml in /etc/crowdsec/config/scenarios/ssh-bf.yaml : yaml: unmarshal errors:
line 2: field typex not found in type leakybucket.BucketFactory
FATA[06-08-2020 13:36:05] Failed to load scenarios: Scenario loading failed : bad yaml in /etc/crowdsec/config/scenarios/ssh-bf.yaml : yaml: unmarshal errors:
line 2: field typex not found in type leakybucket.BucketFactory
```
Using this, you won't have to kill your running service before you know the scenarios/parsers are at least syntactically correct.
## Using debug
Both scenarios and parsers support a `debug: true|false` option which produce useful debug.
<details>
<summary>Debug parsing output (expand)</summary>
```bash
DEBU[05-08-2020 15:25:36] eval(evt.Parsed.program == 'nginx') = TRUE id=lively-smoke name=crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] eval variables: id=lively-smoke name=crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] evt.Parsed.program = 'nginx' id=lively-smoke name=crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] Event entering node id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] + Grok 'NGINXACCESS' returned 10 entries to merge in Parsed id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['request'] = '/data.php' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['http_user_agent'] = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['http_referer'] = '-' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['remote_addr'] = '123.x.x.x' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['remote_user'] = '-' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['time_local'] = '01/Jan/2019:01:39:06 +0100' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['method'] = 'POST' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['body_bytes_sent'] = '162' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['http_version'] = '1.1' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Parsed['status'] = '404' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] .Meta[log_type] = 'http_access-log' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] evt.StrTime = '01/Jan/2019:01:39:06 +0100' id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] Event leaving node : ok id=icy-dew name=child-crowdsecurity/nginx-logs stage=s01-parse
DEBU[05-08-2020 15:25:36] child is success, OnSuccess=next_stage, skip id=lively-smoke name=crowdsecurity/nginx-logs stage=s01-parse
```
</details>
<details>
<summary>Debug scenario output (expand)</summary>
```bash
DEBU[05-08-2020 16:02:26] eval(evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parsed.static_ressource == 'false') = TRUE cfg=black-wave file=config/scenarios/http-probing.yaml name=crowdsecurity/http-probing
DEBU[05-08-2020 16:02:26] eval variables: cfg=black-wave file=config/scenarios/http-probing.yaml name=crowdsecurity/http-probing
DEBU[05-08-2020 16:02:26] evt.Meta.service = 'http' cfg=black-wave file=config/scenarios/http-probing.yaml name=crowdsecurity/http-probing
DEBU[05-08-2020 16:02:26] evt.Meta.http_status = '404' cfg=black-wave file=config/scenarios/http-probing.yaml name=crowdsecurity/http-probing
DEBU[05-08-2020 16:02:26] evt.Parsed.static_ressource = 'false' cfg=black-wave file=config/scenarios/http-probing.yaml name=crowdsecurity/http-probing
```
</details>
# Test environments
From a [{{v0X.crowdsec.name}} release archive]({{v0X.crowdsec.download_url}}), you can deploy a test (non-root) environment that is very suitable to write/debug/test parsers and scenarios. Environment is deployed using `./test_env.sh` script from tgz directory, and creates a test environment in `./tests` :
```bash
$ cd crowdsec-v0.3.0/
$ ./test_env.sh
...
[08/05/2020:04:19:18 PM][INFO] Setting up configurations
INFO[0000] Wrote new 75065 bytes index to config/crowdsec-cli/.index.json
INFO[0000] crowdsecurity/syslog-logs : OK
INFO[0000] crowdsecurity/geoip-enrich : OK
...
INFO[0007] Enabled collections : crowdsecurity/linux
INFO[0007] Enabled crowdsecurity/linux
[08/05/2020:04:19:26 PM][INFO] Environment is ready in /home/bui/github/crowdsec/crowdsec/crowdsec-v0.3.0/tests
$ cd tests
$ ./cscli -c dev.yaml list
...
INFO[0000] PARSERS:
-------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------
crowdsecurity/geoip-enrich ✔️ enabled 0.2 config/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.3 config/parsers/s00-raw/syslog-logs.yaml
crowdsecurity/sshd-logs ✔️ enabled 0.2 config/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.1 config/parsers/s02-enrich/dateparse-enrich.yaml
-------------------------------------------------------------------------------------------------------
...
$ ./crowdsec -c dev.yaml -file sshd.log -type syslog
INFO[05-08-2020 16:23:32] Crowdsec v0.3.0-rc3-7525f11975a0107746213862dc41c69e00122ac7
INFO[05-08-2020 16:23:32] Loading grok library
...
```

58
docs/v0.3.X/docs/cscli/cscli.md
View file

@ -1,58 +0,0 @@
## cscli
cscli allows you to manage crowdsec
### Synopsis
cscli is the main command to interact with your crowdsec service, scenarios & db.
It is meant to allow you to manage bans, parsers/scenarios/etc, api and generally manage you crowdsec setup.
### Examples
```
View/Add/Remove bans:
- cscli ban list
- cscli ban add ip 1.2.3.4 24h 'go away'
- cscli ban del 1.2.3.4
View/Add/Upgrade/Remove scenarios and parsers:
- cscli list
- cscli install collection crowdsec/linux-web
- cscli remove scenario crowdsec/ssh_enum
- cscli upgrade --all
API interaction:
- cscli api pull
- cscli api register
```
### Options
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
-o, --output string Output format : human, json, raw. (default "human")
--debug Set logging to debug.
--info Set logging to info.
--warning Set logging to warning.
--error Set logging to error.
-h, --help help for cscli
```
### SEE ALSO
* [cscli api](cscli_api.md) - Crowdsec API interaction
* [cscli backup](cscli_backup.md) - Backup or restore configuration (api, parsers, scenarios etc.) to/from directory
* [cscli ban](cscli_ban.md) - Manage bans/mitigations
* [cscli config](cscli_config.md) - Allows to view/edit cscli config
* [cscli dashboard](cscli_dashboard.md) - Start a dashboard (metabase) container.
* [cscli inspect](cscli_inspect.md) - Inspect configuration(s)
* [cscli install](cscli_install.md) - Install configuration(s) from hub
* [cscli list](cscli_list.md) - List enabled configs
* [cscli metrics](cscli_metrics.md) - Display crowdsec prometheus metrics.
* [cscli remove](cscli_remove.md) - Remove/disable configuration(s)
* [cscli simulation](cscli_simulation.md) -
* [cscli update](cscli_update.md) - Fetch available configs from hub
* [cscli upgrade](cscli_upgrade.md) - Upgrade configuration(s)

49
docs/v0.3.X/docs/cscli/cscli_api.md
View file

@ -1,49 +0,0 @@
## cscli api
Crowdsec API interaction
### Synopsis
Allow to register your machine into crowdsec API to send and receive signal.
### Examples
```
cscli api register # Register to Crowdsec API
cscli api pull # Pull malevolant IPs from Crowdsec API
cscli api reset # Reset your machines credentials
cscli api enroll # Enroll your machine to the user account you created on Crowdsec backend
cscli api credentials # Display your API credentials
```
### Options
```
-h, --help help for api
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli api credentials](cscli_api_credentials.md) - Display api credentials
* [cscli api enroll](cscli_api_enroll.md) - Associate your machine to an existing crowdsec user
* [cscli api pull](cscli_api_pull.md) - Pull crowdsec API TopX
* [cscli api register](cscli_api_register.md) - Register on Crowdsec API
* [cscli api reset](cscli_api_reset.md) - Reset password on CrowdSec API

40
docs/v0.3.X/docs/cscli/cscli_api_credentials.md
View file

@ -1,40 +0,0 @@
## cscli api credentials
Display api credentials
### Synopsis
Display api credentials
```
cscli api credentials [flags]
```
### Examples
```
cscli api credentials
```
### Options
```
-h, --help help for credentials
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli api](cscli_api.md) - Crowdsec API interaction

41
docs/v0.3.X/docs/cscli/cscli_api_enroll.md
View file

@ -1,41 +0,0 @@
## cscli api enroll
Associate your machine to an existing crowdsec user
### Synopsis
Enrolling your machine into your user account will allow for more accurate lists and threat detection. See website to create user account.
```
cscli api enroll [flags]
```
### Examples
```
cscli api enroll -u 1234567890ffff
```
### Options
```
-h, --help help for enroll
-u, --user string User ID (required)
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli api](cscli_api.md) - Crowdsec API interaction

40
docs/v0.3.X/docs/cscli/cscli_api_pull.md
View file

@ -1,40 +0,0 @@
## cscli api pull
Pull crowdsec API TopX
### Synopsis
Pulls a list of malveolent IPs relevant to your situation and add them into the local ban database.
```
cscli api pull [flags]
```
### Examples
```
cscli api pull
```
### Options
```
-h, --help help for pull
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli api](cscli_api.md) - Crowdsec API interaction

41
docs/v0.3.X/docs/cscli/cscli_api_register.md
View file

@ -1,41 +0,0 @@
## cscli api register
Register on Crowdsec API
### Synopsis
This command will register your machine to crowdsec API to allow you to receive list of malveolent IPs.
The printed machine_id and password should be added to your api.yaml file.
```
cscli api register [flags]
```
### Examples
```
cscli api register
```
### Options
```
-h, --help help for register
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli api](cscli_api.md) - Crowdsec API interaction

40
docs/v0.3.X/docs/cscli/cscli_api_reset.md
View file

@ -1,40 +0,0 @@
## cscli api reset
Reset password on CrowdSec API
### Synopsis
Attempts to reset your credentials to the API.
```
cscli api reset [flags]
```
### Examples
```
cscli api reset
```
### Options
```
-h, --help help for reset
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli api](cscli_api.md) - Crowdsec API interaction

39
docs/v0.3.X/docs/cscli/cscli_backup.md
View file

@ -1,39 +0,0 @@
## cscli backup
Backup or restore configuration (api, parsers, scenarios etc.) to/from directory
### Synopsis
This command is here to help you save and/or restore crowdsec configurations to simple replication
### Examples
```
cscli backup save ./my-backup
cscli backup restore ./my-backup
```
### Options
```
-h, --help help for backup
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli backup restore](cscli_backup_restore.md) - Restore configuration (api, parsers, scenarios etc.) from directory
* [cscli backup save](cscli_backup_save.md) - Backup configuration (api, parsers, scenarios etc.) to directory

49
docs/v0.3.X/docs/cscli/cscli_backup_restore.md
View file

@ -1,49 +0,0 @@
## cscli backup restore
Restore configuration (api, parsers, scenarios etc.) from directory
### Synopsis
restore command will try to restore all saved information from <directory> to yor local setup, including :
- Installation of up-to-date scenarios/parsers/... via cscli
- Restauration of tainted/local/out-of-date scenarios/parsers/... file
- Restauration of API credentials (if the existing ones aren't working)
- Restauration of acqusition configuration
```
cscli backup restore <directory> [flags]
```
### Examples
```
cscli backup restore ./my-backup
```
### Options
```
-h, --help help for restore
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli backup](cscli_backup.md) - Backup or restore configuration (api, parsers, scenarios etc.) to/from directory

50
docs/v0.3.X/docs/cscli/cscli_backup_save.md
View file

@ -1,50 +0,0 @@
## cscli backup save
Backup configuration (api, parsers, scenarios etc.) to directory
### Synopsis
backup command will try to save all relevant informations to crowdsec config, including :
- List of scenarios, parsers, postoverflows and collections that are up-to-date
- Actual backup of tainted/local/out-of-date scenarios, parsers, postoverflows and collections
- Backup of API credentials
- Backup of acquisition configuration
```
cscli backup save <directory> [flags]
```
### Examples
```
cscli backup save ./my-backup
```
### Options
```
-h, --help help for save
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli backup](cscli_backup.md) - Backup or restore configuration (api, parsers, scenarios etc.) to/from directory

37
docs/v0.3.X/docs/cscli/cscli_ban.md
View file

@ -1,37 +0,0 @@
## cscli ban
Manage bans/mitigations
### Synopsis
This is the main interaction point with local ban database for humans.
You can add/delete/list or flush current bans in your local ban DB.
### Options
```
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
-h, --help help for ban
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli ban add](cscli_ban_add.md) - Adds a ban against a given ip/range for the provided duration
* [cscli ban del](cscli_ban_del.md) - Delete bans from db
* [cscli ban flush](cscli_ban_flush.md) - Fush ban DB
* [cscli ban list](cscli_ban_list.md) - List local or api bans/remediations

45
docs/v0.3.X/docs/cscli/cscli_ban_add.md
View file

@ -1,45 +0,0 @@
## cscli ban add
Adds a ban against a given ip/range for the provided duration
### Synopsis
Allows to add a ban against a specific ip or range target for a specific duration.
The duration argument can be expressed in seconds(s), minutes(m) or hours (h).
See [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) for more informations.
### Examples
```
cscli ban add ip 1.2.3.4 24h "scan"
cscli ban add range 1.2.3.0/24 24h "the whole range"
```
### Options
```
-h, --help help for add
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban](cscli_ban.md) - Manage bans/mitigations
* [cscli ban add ip](cscli_ban_add_ip.md) - Adds the specific ip to the ban db
* [cscli ban add range](cscli_ban_add_range.md) - Adds the specific ip to the ban db

41
docs/v0.3.X/docs/cscli/cscli_ban_add_ip.md
View file

@ -1,41 +0,0 @@
## cscli ban add ip
Adds the specific ip to the ban db
### Synopsis
Duration must be [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), expressed in s/m/h.
```
cscli ban add ip <target> <duration> <reason> [flags]
```
### Examples
```
cscli ban add ip 1.2.3.4 12h "the scan"
```
### Options
```
-h, --help help for ip
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban add](cscli_ban_add.md) - Adds a ban against a given ip/range for the provided duration

41
docs/v0.3.X/docs/cscli/cscli_ban_add_range.md
View file

@ -1,41 +0,0 @@
## cscli ban add range
Adds the specific ip to the ban db
### Synopsis
Duration must be [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) compatible, expressed in s/m/h.
```
cscli ban add range <target> <duration> <reason> [flags]
```
### Examples
```
cscli ban add range 1.2.3.0/24 12h "the whole range"
```
### Options
```
-h, --help help for range
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban add](cscli_ban_add.md) - Adds a ban against a given ip/range for the provided duration

40
docs/v0.3.X/docs/cscli/cscli_ban_del.md
View file

@ -1,40 +0,0 @@
## cscli ban del
Delete bans from db
### Synopsis
The removal of the bans can be applied on a single IP address or directly on a IP range.
### Examples
```
cscli ban del ip 1.2.3.4
cscli ban del range 1.2.3.0/24
```
### Options
```
-h, --help help for del
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban](cscli_ban.md) - Manage bans/mitigations
* [cscli ban del ip](cscli_ban_del_ip.md) - Delete bans for given ip from db
* [cscli ban del range](cscli_ban_del_range.md) - Delete bans for given ip from db

41
docs/v0.3.X/docs/cscli/cscli_ban_del_ip.md
View file

@ -1,41 +0,0 @@
## cscli ban del ip
Delete bans for given ip from db
### Synopsis
Delete bans for given ip from db
```
cscli ban del ip <target> [flags]
```
### Examples
```
cscli ban del ip 1.2.3.4
```
### Options
```
-h, --help help for ip
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban del](cscli_ban_del.md) - Delete bans from db

41
docs/v0.3.X/docs/cscli/cscli_ban_del_range.md
View file

@ -1,41 +0,0 @@
## cscli ban del range
Delete bans for given ip from db
### Synopsis
Delete bans for given ip from db
```
cscli ban del range <target> [flags]
```
### Examples
```
cscli ban del range 1.2.3.0/24
```
### Options
```
-h, --help help for range
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban del](cscli_ban_del.md) - Delete bans from db

41
docs/v0.3.X/docs/cscli/cscli_ban_flush.md
View file

@ -1,41 +0,0 @@
## cscli ban flush
Fush ban DB
### Synopsis
Fush ban DB
```
cscli ban flush [flags]
```
### Examples
```
cscli ban flush
```
### Options
```
-h, --help help for flush
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban](cscli_ban.md) - Manage bans/mitigations

66
docs/v0.3.X/docs/cscli/cscli_ban_list.md
View file

@ -1,66 +0,0 @@
## cscli ban list
List local or api bans/remediations
### Synopsis
List the bans, by default only local decisions.
If --all/-a is specified, bans will be displayed without limit (--limit).
Default limit is 50.
Time can be specified with --at and support a variety of date formats:
- Jan 2 15:04:05
- Mon Jan 02 15:04:05.000000 2006
- 2006-01-02T15:04:05Z07:00
- 2006/01/02
- 2006/01/02 15:04
- 2006-01-02
- 2006-01-02 15:04
```
cscli ban list [flags]
```
### Examples
```
ban list --range 0.0.0.0/0 : will list all
ban list --country CN
ban list --reason crowdsecurity/http-probing
ban list --as OVH
```
### Options
```
-a, --all List bans without limit
--api List as well bans received from API
--as string List bans belonging to given AS name
--at string List bans at given time
--country string List bans belonging to given country code
-h, --help help for list
--ip string List bans for given IP
--limit int Limit of bans to display (default 50) (default 50)
--range string List bans belonging to given range
--reason string List bans containing given reason
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--remediation string Set specific remediation type : ban|slow|captcha (default "ban")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli ban](cscli_ban.md) - Manage bans/mitigations

39
docs/v0.3.X/docs/cscli/cscli_config.md
View file

@ -1,39 +0,0 @@
## cscli config
Allows to view/edit cscli config
### Synopsis
Allow to configure database plugin path and installation directory.
If no commands are specified, config is in interactive mode.
### Examples
```
- cscli config show
- cscli config prompt
```
### Options
```
-h, --help help for config
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli config show](cscli_config_show.md) - Displays current config

34
docs/v0.3.X/docs/cscli/cscli_config_show.md
View file

@ -1,34 +0,0 @@
## cscli config show
Displays current config
### Synopsis
Displays the current cli configuration.
```
cscli config show [flags]
```
### Options
```
-h, --help help for show
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli config](cscli_config.md) - Allows to view/edit cscli config

42
docs/v0.3.X/docs/cscli/cscli_dashboard.md
View file

@ -1,42 +0,0 @@
## cscli dashboard
Start a dashboard (metabase) container.
### Synopsis
Start a metabase container exposing dashboards and metrics.
### Examples
```
cscli dashboard setup
cscli dashboard start
cscli dashboard stop
cscli dashboard setup --force
```
### Options
```
-h, --help help for dashboard
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli dashboard setup](cscli_dashboard_setup.md) - Setup a metabase container.
* [cscli dashboard start](cscli_dashboard_start.md) - Start the metabase container.
* [cscli dashboard stop](cscli_dashboard_stop.md) - Stops the metabase container.

47
docs/v0.3.X/docs/cscli/cscli_dashboard_setup.md
View file

@ -1,47 +0,0 @@
## cscli dashboard setup
Setup a metabase container.
### Synopsis
Perform a metabase docker setup, download standard dashboards, create a fresh user and start the container
```
cscli dashboard setup [flags]
```
### Examples
```
cscli dashboard setup
cscli dashboard setup --force
cscli dashboard setup -l 0.0.0.0 -p 443
```
### Options
```
-d, --dir string Shared directory with metabase container. (default "/var/lib/crowdsec/data")
-f, --force Force setup : override existing files.
-h, --help help for setup
-l, --listen string Listen address of container (default "127.0.0.1")
-p, --port string Listen port of container (default "3000")
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli dashboard](cscli_dashboard.md) - Start a dashboard (metabase) container.

34
docs/v0.3.X/docs/cscli/cscli_dashboard_start.md
View file

@ -1,34 +0,0 @@
## cscli dashboard start
Start the metabase container.
### Synopsis
Stats the metabase container using docker.
```
cscli dashboard start [flags]
```
### Options
```
-h, --help help for start
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli dashboard](cscli_dashboard.md) - Start a dashboard (metabase) container.

35
docs/v0.3.X/docs/cscli/cscli_dashboard_stop.md
View file

@ -1,35 +0,0 @@
## cscli dashboard stop
Stops the metabase container.
### Synopsis
Stops the metabase container using docker.
```
cscli dashboard stop [flags]
```
### Options
```
-h, --help help for stop
-r, --remove remove (docker rm) container as well.
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli dashboard](cscli_dashboard.md) - Start a dashboard (metabase) container.

47
docs/v0.3.X/docs/cscli/cscli_inspect.md
View file

@ -1,47 +0,0 @@
## cscli inspect
Inspect configuration(s)
### Synopsis
Inspect give you full detail about local installed configuration.
[type] must be parser, scenario, postoverflow, collection.
[config_name] must be a valid config name from [Crowdsec Hub](https://hub.crowdsec.net) or locally installed.
### Examples
```
cscli inspect parser crowdsec/xxx
cscli inspect collection crowdsec/xxx
```
### Options
```
-h, --help help for inspect
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli inspect collection](cscli_inspect_collection.md) - Inspect given collection
* [cscli inspect parser](cscli_inspect_parser.md) - Inspect given log parser
* [cscli inspect postoverflow](cscli_inspect_postoverflow.md) - Inspect given postoverflow parser
* [cscli inspect scenario](cscli_inspect_scenario.md) - Inspect given scenario

40
docs/v0.3.X/docs/cscli/cscli_inspect_collection.md
View file

@ -1,40 +0,0 @@
## cscli inspect collection
Inspect given collection
### Synopsis
Inspect given collection from hub
```
cscli inspect collection [config] [flags]
```
### Examples
```
cscli inspect collection crowdsec/xxx
```
### Options
```
-h, --help help for collection
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli inspect](cscli_inspect.md) - Inspect configuration(s)

40
docs/v0.3.X/docs/cscli/cscli_inspect_parser.md
View file

@ -1,40 +0,0 @@
## cscli inspect parser
Inspect given log parser
### Synopsis
Inspect given parser from hub
```
cscli inspect parser [config] [flags]
```
### Examples
```
cscli inspect parser crowdsec/xxx
```
### Options
```
-h, --help help for parser
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli inspect](cscli_inspect.md) - Inspect configuration(s)

40
docs/v0.3.X/docs/cscli/cscli_inspect_postoverflow.md
View file

@ -1,40 +0,0 @@
## cscli inspect postoverflow
Inspect given postoverflow parser
### Synopsis
Inspect given postoverflow from hub.
```
cscli inspect postoverflow [config] [flags]
```
### Examples
```
cscli inspect postoverflow crowdsec/xxx
```
### Options
```
-h, --help help for postoverflow
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli inspect](cscli_inspect.md) - Inspect configuration(s)

40
docs/v0.3.X/docs/cscli/cscli_inspect_scenario.md
View file

@ -1,40 +0,0 @@
## cscli inspect scenario
Inspect given scenario
### Synopsis
Inspect given scenario from hub
```
cscli inspect scenario [config] [flags]
```
### Examples
```
cscli inspect scenario crowdsec/xxx
```
### Options
```
-h, --help help for scenario
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli inspect](cscli_inspect.md) - Inspect configuration(s)

51
docs/v0.3.X/docs/cscli/cscli_install.md
View file

@ -1,51 +0,0 @@
## cscli install
Install configuration(s) from hub
### Synopsis
Install configuration from the CrowdSec Hub.
In order to download latest versions of configuration,
you should [update cscli](./cscli_update.md).
[type] must be parser, scenario, postoverflow, collection.
[config_name] must be a valid config name from [Crowdsec Hub](https://hub.crowdsec.net).
### Examples
```
cscli install [type] [config_name]
```
### Options
```
-d, --download-only Only download packages, don't enable
--force Force install : Overwrite tainted and outdated files
-h, --help help for install
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli install collection](cscli_install_collection.md) - Install given collection
* [cscli install parser](cscli_install_parser.md) - Install given parser
* [cscli install postoverflow](cscli_install_postoverflow.md) - Install given postoverflow parser
* [cscli install scenario](cscli_install_scenario.md) - Install given scenario

42
docs/v0.3.X/docs/cscli/cscli_install_collection.md
View file

@ -1,42 +0,0 @@
## cscli install collection
Install given collection
### Synopsis
Fetch and install given collection from hub
```
cscli install collection [config] [flags]
```
### Examples
```
cscli install collection crowdsec/xxx
```
### Options
```
-h, --help help for collection
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
-d, --download-only Only download packages, don't enable
--error Set logging to error.
--force Force install : Overwrite tainted and outdated files
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli install](cscli_install.md) - Install configuration(s) from hub

42
docs/v0.3.X/docs/cscli/cscli_install_parser.md
View file

@ -1,42 +0,0 @@
## cscli install parser
Install given parser
### Synopsis
Fetch and install given parser from hub
```
cscli install parser [config] [flags]
```
### Examples
```
cscli install parser crowdsec/xxx
```
### Options
```
-h, --help help for parser
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
-d, --download-only Only download packages, don't enable
--error Set logging to error.
--force Force install : Overwrite tainted and outdated files
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli install](cscli_install.md) - Install configuration(s) from hub

43
docs/v0.3.X/docs/cscli/cscli_install_postoverflow.md
View file

@ -1,43 +0,0 @@
## cscli install postoverflow
Install given postoverflow parser
### Synopsis
Fetch and install given postoverflow from hub.
As a reminder, postoverflows are parsing configuration that will occur after the overflow (before a decision is applied).
```
cscli install postoverflow [config] [flags]
```
### Examples
```
cscli install collection crowdsec/xxx
```
### Options
```
-h, --help help for postoverflow
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
-d, --download-only Only download packages, don't enable
--error Set logging to error.
--force Force install : Overwrite tainted and outdated files
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli install](cscli_install.md) - Install configuration(s) from hub

42
docs/v0.3.X/docs/cscli/cscli_install_scenario.md
View file

@ -1,42 +0,0 @@
## cscli install scenario
Install given scenario
### Synopsis
Fetch and install given scenario from hub
```
cscli install scenario [config] [flags]
```
### Examples
```
cscli install scenario crowdsec/xxx
```
### Options
```
-h, --help help for scenario
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
-d, --download-only Only download packages, don't enable
--error Set logging to error.
--force Force install : Overwrite tainted and outdated files
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli install](cscli_install.md) - Install configuration(s) from hub

54
docs/v0.3.X/docs/cscli/cscli_list.md
View file

@ -1,54 +0,0 @@
## cscli list
List enabled configs
### Synopsis
List enabled configurations (parser/scenarios/collections) on your host.
It is possible to list also configuration from [Crowdsec Hub](https://hub.crowdsec.net) with the '-a' options.
[type] must be parsers, scenarios, postoverflows, collections
```
cscli list [-a] [flags]
```
### Examples
```
cscli list # List all local configurations
cscli list [type] # List all local configuration of type [type]
cscli list -a # List all local and remote configurations
```
### Options
```
-a, --all List as well disabled items
-h, --help help for list
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli list collections](cscli_list_collections.md) - List enabled collections
* [cscli list parsers](cscli_list_parsers.md) - List enabled parsers
* [cscli list postoverflows](cscli_list_postoverflows.md) - List enabled postoverflow parsers
* [cscli list scenarios](cscli_list_scenarios.md) - List enabled scenarios

35
docs/v0.3.X/docs/cscli/cscli_list_collections.md
View file

@ -1,35 +0,0 @@
## cscli list collections
List enabled collections
### Synopsis
List enabled collections
```
cscli list collections [-a] [flags]
```
### Options
```
-h, --help help for collections
```
### Options inherited from parent commands
```
-a, --all List as well disabled items
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli list](cscli_list.md) - List enabled configs

35
docs/v0.3.X/docs/cscli/cscli_list_parsers.md
View file

@ -1,35 +0,0 @@
## cscli list parsers
List enabled parsers
### Synopsis
List enabled parsers
```
cscli list parsers [-a] [flags]
```
### Options
```
-h, --help help for parsers
```
### Options inherited from parent commands
```
-a, --all List as well disabled items
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli list](cscli_list.md) - List enabled configs

35
docs/v0.3.X/docs/cscli/cscli_list_postoverflows.md
View file

@ -1,35 +0,0 @@
## cscli list postoverflows
List enabled postoverflow parsers
### Synopsis
List enabled postoverflow parsers
```
cscli list postoverflows [-a] [flags]
```
### Options
```
-h, --help help for postoverflows
```
### Options inherited from parent commands
```
-a, --all List as well disabled items
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli list](cscli_list.md) - List enabled configs

35
docs/v0.3.X/docs/cscli/cscli_list_scenarios.md
View file

@ -1,35 +0,0 @@
## cscli list scenarios
List enabled scenarios
### Synopsis
List enabled scenarios
```
cscli list scenarios [-a] [flags]
```
### Options
```
-h, --help help for scenarios
```
### Options inherited from parent commands
```
-a, --all List as well disabled items
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli list](cscli_list.md) - List enabled configs

35
docs/v0.3.X/docs/cscli/cscli_metrics.md
View file

@ -1,35 +0,0 @@
## cscli metrics
Display crowdsec prometheus metrics.
### Synopsis
Fetch metrics from the prometheus server and display them in a human-friendly way
```
cscli metrics [flags]
```
### Options
```
-h, --help help for metrics
-u, --url string Prometheus url (default "http://127.0.0.1:6060/metrics")
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec

48
docs/v0.3.X/docs/cscli/cscli_remove.md
View file

@ -1,48 +0,0 @@
## cscli remove
Remove/disable configuration(s)
### Synopsis
Remove local configuration.
[type] must be parser, scenario, postoverflow, collection
[config_name] must be a valid config name from [Crowdsec Hub](https://hub.crowdsec.net) or locally installed.
### Examples
```
cscli remove [type] [config_name]
```
### Options
```
--all Delete all the files in selected scope
-h, --help help for remove
--purge Delete source file in ~/.cscli/hub/ too
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli remove collection](cscli_remove_collection.md) - Remove/disable collection
* [cscli remove parser](cscli_remove_parser.md) - Remove/disable parser
* [cscli remove postoverflow](cscli_remove_postoverflow.md) - Remove/disable postoverflow parser
* [cscli remove scenario](cscli_remove_scenario.md) - Remove/disable scenario

36
docs/v0.3.X/docs/cscli/cscli_remove_collection.md
View file

@ -1,36 +0,0 @@
## cscli remove collection
Remove/disable collection
### Synopsis
<config> must be a valid collection.
```
cscli remove collection [config] [flags]
```
### Options
```
-h, --help help for collection
```
### Options inherited from parent commands
```
--all Delete all the files in selected scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--purge Delete source file in ~/.cscli/hub/ too
--warning Set logging to warning.
```
### SEE ALSO
* [cscli remove](cscli_remove.md) - Remove/disable configuration(s)

36
docs/v0.3.X/docs/cscli/cscli_remove_parser.md
View file

@ -1,36 +0,0 @@
## cscli remove parser
Remove/disable parser
### Synopsis
<config> must be a valid parser.
```
cscli remove parser <config> [flags]
```
### Options
```
-h, --help help for parser
```
### Options inherited from parent commands
```
--all Delete all the files in selected scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--purge Delete source file in ~/.cscli/hub/ too
--warning Set logging to warning.
```
### SEE ALSO
* [cscli remove](cscli_remove.md) - Remove/disable configuration(s)

36
docs/v0.3.X/docs/cscli/cscli_remove_postoverflow.md
View file

@ -1,36 +0,0 @@
## cscli remove postoverflow
Remove/disable postoverflow parser
### Synopsis
<config> must be a valid collection.
```
cscli remove postoverflow [config] [flags]
```
### Options
```
-h, --help help for postoverflow
```
### Options inherited from parent commands
```
--all Delete all the files in selected scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--purge Delete source file in ~/.cscli/hub/ too
--warning Set logging to warning.
```
### SEE ALSO
* [cscli remove](cscli_remove.md) - Remove/disable configuration(s)

36
docs/v0.3.X/docs/cscli/cscli_remove_scenario.md
View file

@ -1,36 +0,0 @@
## cscli remove scenario
Remove/disable scenario
### Synopsis
<config> must be a valid scenario.
```
cscli remove scenario [config] [flags]
```
### Options
```
-h, --help help for scenario
```
### Options inherited from parent commands
```
--all Delete all the files in selected scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--purge Delete source file in ~/.cscli/hub/ too
--warning Set logging to warning.
```
### SEE ALSO
* [cscli remove](cscli_remove.md) - Remove/disable configuration(s)

33
docs/v0.3.X/docs/cscli/cscli_simulation.md
View file

@ -1,33 +0,0 @@
## cscli simulation
### Synopsis
### Options
```
-h, --help help for simulation
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli simulation disable](cscli_simulation_disable.md) - Disable the simulation mode. Disable only specified scenarios
* [cscli simulation enable](cscli_simulation_enable.md) - Enable the simulation, globally or on specified scenarios
* [cscli simulation status](cscli_simulation_status.md) - Show simulation mode status

40
docs/v0.3.X/docs/cscli/cscli_simulation_disable.md
View file

@ -1,40 +0,0 @@
## cscli simulation disable
Disable the simulation mode. Disable only specified scenarios
### Synopsis
Disable the simulation mode. Disable only specified scenarios
```
cscli simulation disable [scenario_name] [flags]
```
### Examples
```
cscli simulation disable
```
### Options
```
-h, --help help for disable
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli simulation](cscli_simulation.md) -

40
docs/v0.3.X/docs/cscli/cscli_simulation_enable.md
View file

@ -1,40 +0,0 @@
## cscli simulation enable
Enable the simulation, globally or on specified scenarios
### Synopsis
Enable the simulation, globally or on specified scenarios
```
cscli simulation enable [scenario_name] [flags]
```
### Examples
```
cscli simulation enable
```
### Options
```
-h, --help help for enable
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli simulation](cscli_simulation.md) -

40
docs/v0.3.X/docs/cscli/cscli_simulation_status.md
View file

@ -1,40 +0,0 @@
## cscli simulation status
Show simulation mode status
### Synopsis
Show simulation mode status
```
cscli simulation status [flags]
```
### Examples
```
cscli simulation status
```
### Options
```
-h, --help help for status
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli simulation](cscli_simulation.md) -

36
docs/v0.3.X/docs/cscli/cscli_update.md
View file

@ -1,36 +0,0 @@
## cscli update
Fetch available configs from hub
### Synopsis
Fetches the [.index.json](https://github.com/crowdsecurity/hub/blob/master/.index.json) file from hub, containing the list of available configs.
```
cscli update [flags]
```
### Options
```
-h, --help help for update
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec

62
docs/v0.3.X/docs/cscli/cscli_upgrade.md
View file

@ -1,62 +0,0 @@
## cscli upgrade
Upgrade configuration(s)
### Synopsis
Upgrade configuration from the CrowdSec Hub.
In order to upgrade latest versions of configuration,
the Hub cache should be [updated](./cscli_update.md).
Tainted configuration will not be updated (use --force to update them).
[type] must be parser, scenario, postoverflow, collection.
[config_name] must be a valid config name from [Crowdsec Hub](https://hub.crowdsec.net).
```
cscli upgrade [type] [config] [flags]
```
### Examples
```
cscli upgrade [type] [config_name]
cscli upgrade --all # Upgrade all configurations types
cscli upgrade --force # Overwrite tainted configuration
```
### Options
```
--all Upgrade all configuration in scope
--force Overwrite existing files, even if tainted
-h, --help help for upgrade
```
### Options inherited from parent commands
```
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli](cscli.md) - cscli allows you to manage crowdsec
* [cscli upgrade collection](cscli_upgrade_collection.md) - Upgrade collection configuration(s)
* [cscli upgrade parser](cscli_upgrade_parser.md) - Upgrade parser configuration(s)
* [cscli upgrade postoverflow](cscli_upgrade_postoverflow.md) - Upgrade postoverflow parser configuration(s)
* [cscli upgrade scenario](cscli_upgrade_scenario.md) - Upgrade scenario configuration(s)

44
docs/v0.3.X/docs/cscli/cscli_upgrade_collection.md
View file

@ -1,44 +0,0 @@
## cscli upgrade collection
Upgrade collection configuration(s)
### Synopsis
Upgrade one or more collection configurations
```
cscli upgrade collection [config] [flags]
```
### Examples
```
- cscli upgrade collection crowdsec/apache-lamp
- cscli upgrade collection -all
- cscli upgrade collection crowdsec/apache-lamp --force
```
### Options
```
-h, --help help for collection
```
### Options inherited from parent commands
```
--all Upgrade all configuration in scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--force Overwrite existing files, even if tainted
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli upgrade](cscli_upgrade.md) - Upgrade configuration(s)

44
docs/v0.3.X/docs/cscli/cscli_upgrade_parser.md
View file

@ -1,44 +0,0 @@
## cscli upgrade parser
Upgrade parser configuration(s)
### Synopsis
Upgrade one or more parser configurations
```
cscli upgrade parser [config] [flags]
```
### Examples
```
- cscli upgrade parser crowdsec/apache-logs
- cscli upgrade parser -all
- cscli upgrade parser crowdsec/apache-logs --force
```
### Options
```
-h, --help help for parser
```
### Options inherited from parent commands
```
--all Upgrade all configuration in scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--force Overwrite existing files, even if tainted
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli upgrade](cscli_upgrade.md) - Upgrade configuration(s)

44
docs/v0.3.X/docs/cscli/cscli_upgrade_postoverflow.md
View file

@ -1,44 +0,0 @@
## cscli upgrade postoverflow
Upgrade postoverflow parser configuration(s)
### Synopsis
Upgrade one or more postoverflow parser configurations
```
cscli upgrade postoverflow [config] [flags]
```
### Examples
```
- cscli upgrade postoverflow crowdsec/enrich-rdns
- cscli upgrade postoverflow -all
- cscli upgrade postoverflow crowdsec/enrich-rdns --force
```
### Options
```
-h, --help help for postoverflow
```
### Options inherited from parent commands
```
--all Upgrade all configuration in scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--force Overwrite existing files, even if tainted
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli upgrade](cscli_upgrade.md) - Upgrade configuration(s)

43
docs/v0.3.X/docs/cscli/cscli_upgrade_scenario.md
View file

@ -1,43 +0,0 @@
## cscli upgrade scenario
Upgrade scenario configuration(s)
### Synopsis
Upgrade one or more scenario configurations
```
cscli upgrade scenario [config] [flags]
```
### Examples
```
- cscli upgrade scenario -all
- cscli upgrade scenario crowdsec/http-404 --force
```
### Options
```
-h, --help help for scenario
```
### Options inherited from parent commands
```
--all Upgrade all configuration in scope
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config/default.yaml")
--debug Set logging to debug.
--error Set logging to error.
--force Overwrite existing files, even if tainted
--info Set logging to info.
-o, --output string Output format : human, json, raw. (default "human")
--warning Set logging to warning.
```
### SEE ALSO
* [cscli upgrade](cscli_upgrade.md) - Upgrade configuration(s)

134
docs/v0.3.X/docs/getting_started/concepts.md
View file

@ -1,134 +0,0 @@
{{v0X.crowdsec.Name}}'s main goal is to crunch logs to detect things (duh).
You will find below an introduction to the concepts that are frequently used within the documentation.
## Acquisition
[Acquistion configuration](/Crowdsec/v0/guide/crowdsec/acquisition/) defines which streams of information {{v0X.crowdsec.name}} is going to process.
At the time of writing, it's mostly files, but it should be more or less any kind of stream, such as a kafka topic or a cloudtrail.
Acquisition configuration always contains a stream (ie. a file to tail) and a tag (ie. "these are in syslog format" "these are non-syslog nginx logs").
File acquisition configuration is defined as :
```yaml
filenames: #a list of file or regexp to read from (supports regular expressions)
- /var/log/nginx/http_access.log
- /var/log/nginx/https_access.log
- /var/log/nginx/error.log
labels:
type: nginx
---
filenames:
- /var/log/auth.log
labels:
type: syslog
```
The `labels` part is here to tag the incoming logs with a type. `labels.type` are used by the parsers to know which logs to process.
## Parsers [[reference](/Crowdsec/v0/references/parsers/)]
For logs to be able to be exploited and analyzed, they need to be parsed and normalized, and this is where parsers are used.
A parser is a YAML configuration file that describes how a string is being parsed. Said string can be a log line, or a field extracted from a previous parser. While a lot of parsers rely on the **GROK** approach (a.k.a regular expression named capture groups), parsers can as well reference enrichment modules to allow specific data processing.
A parser usually has a specific scope. For example, if you are using [nginx](https://nginx.org), you will probably want to use the `crowdsecurity/nginx-logs` which allows your {{v0X.crowdsec.name}} setup to parse nginx's access and error logs.
Parsers are organized into stages to allow pipelines and branching in parsing.
See the [{{v0X.hub.name}}]({{v0X.hub.url}}) to explore parsers, or see below some examples :
- [apache2 access/error log parser](https://github.com/crowdsecurity/hub/blob/master/parsers/s01-parse/crowdsecurity/apache2-logs.yaml)
- [iptables logs parser](https://github.com/crowdsecurity/hub/blob/master/parsers/s01-parse/crowdsecurity/iptables-logs.yaml)
- [http logs post-processing](https://github.com/crowdsecurity/hub/blob/master/parsers/s02-enrich/crowdsecurity/http-logs.yaml)
You can as well [write your own](/Crowdsec/v0/write_configurations/parsers/) !
## Stages
Parsers are organized into "stages" to allow pipelines and branching in parsing. Each parser belongs to a stage, and can trigger next stage when successful. At the time of writing, the parsers are organized around 3 stages :
- `s00-raw` : low level parser, such as syslog
- `s01-parse` : most of the services parsers (ssh, nginx etc.)
- `s02-enrich` : enrichment that requires parsed events (ie. geoip-enrichment) or generic parsers that apply on parsed logs (ie. second stage http parser)
The number and structure of stages can be altered by the user, the directory structure and their alphabetical order dictates in which order stages and parsers are processed.
Every event starts in the first stage, and will move to the next stage once it has been successfully processed by a parser that has the `onsuccess` directive set to `next_stage`, and so on until it reaches the last stage, when it's going to start to be matched against scenarios. Thus a sshd log might follow this pipeline :
- `s00-raw` : be parsed by `crowdsecurity/syslog-logs` (will move event to the next stage)
- `s01-raw` : be parsed by `crowdsecurity/sshd-logs` (will move event to the next stage)
- `s02-enrich` : will be parsed by `crowdsecurity/geoip-enrich` and `crowdsecurity/dateparse-enrich`
## Enrichers
Enrichment is the action of adding extra context to an event based on the information we already have, so that better decision can later be taken. In most cases, you should be able to find the relevant enrichers on our {{v0X.hub.htmlname}}.
A common/simple type of enrichment would be [geoip-enrich](https://github.com/crowdsecurity/hub/blob/master/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml) of an event (adding information such as : origin country, origin AS and origin IP range to an event).
Once again, you should be able to find the ones you're looking for on the {{v0X.hub.htmlname}} !
## Scenarios [[reference](/Crowdsec/v0/references/scenarios/)]
Scenarios is the expression of a heuristic that allows you to qualify a specific event (usually an attack).It is a YAML file that describes a set of events characterizing a scenario. Scenarios in {{v0X.crowdsec.name}} gravitate around the [leaky bucket](https://en.wikipedia.org/wiki/Leaky_bucket) principle.
A scenario description includes at least :
- Event eligibility rules. (For example if we're writing a ssh bruteforce detection we only focus on logs of type `ssh_failed_auth`)
- Bucket configuration such as the leak speed or its capacity (in our same ssh bruteforce example, we might allow 1 failed auth per 10s and no more than 5 in a short amount of time: `leakspeed: 10s` `capacity: 5`)
- Aggregation rules : per source ip or per other criterias (in our ssh bruteforce example, we will group per source ip)
The description allows for many other rules to be specified (blackhole, distinct filters etc.), to allow rather complex scenarios.
See the [{{v0X.hub.name}}]({{v0X.hub.url}}) to explore scenarios and their capabilities, or see below some examples :
- [ssh bruteforce detection](https://github.com/crowdsecurity/hub/blob/master/scenarios/crowdsecurity/ssh-bf.yaml)
- [distinct http-404 scan](https://github.com/crowdsecurity/hub/blob/master/scenarios/crowdsecurity/http-scan-uniques_404.yaml)
- [iptables port scan](https://github.com/crowdsecurity/hub/blob/master/scenarios/crowdsecurity/iptables-scan-multi_ports.yaml)
You can as well [write your own](/Crowdsec/v0/write_configurations/scenarios/) !
## Collections
To make user's life easier, "collections" are available, which are just a bundle of parsers and scenarios.
In this way, if you want to cover basic use-cases of let's say "nginx", you can just install the `crowdsecurity/nginx` collection that is composed of `crowdsecurity/nginx-logs` parser, as well as generic http scenarios such as `crowdsecurity/base-http-scenarios`.
As usual, those can be found on the {{v0X.hub.htmlname}} !
## Event
The objects that are processed within {{v0X.crowdsec.name}} are named "Events".
An Event can be a log line, or an overflow result. This object layout evolves around a few important items :
- `Parsed` is an associative array that will be used during parsing to store temporary variables or processing results.
- `Enriched`, very similar to `Parsed`, is an associative array but is intended to be used for enrichment process.
- `Overflow` is a `SignalOccurence` structure that represents information about a triggered scenario, when applicable.
- `Meta` is an associative array that will be used to keep track of meta information about the event.
_Other fields omitted for clarity, see [`pkg/types/event.go`](https://github.com/crowdsecurity/crowdsec/blob/master/pkg/types/event.go) for detailed definition_
## Overflow or SignalOccurence
This object holds the relevant information about a scenario that happened : who / when / where / what etc.
Its most relevant fields are :
- `Scenario` : name of the scenario
- `Alert_message` : a humanly readable message about what happened
- `Events_count` : the number of individual events that lead to said overflow
- `Start_at` + `Stop_at` : timestamp of the first and last events that triggered the scenario
- `Source` : a binary representation of the source of the attack
- `Source_[ip,range,AutonomousSystemNumber,AutonomousSystemOrganization,Country]` : string representation of source information
- `Labels` : an associative array representing the scenario "labels" (see scenario definition)
_Other fields omitted for clarity, see [`pkg/types/signal_occurence.go`](https://github.com/crowdsecurity/crowdsec/blob/master/pkg/types/signal_occurence.go) for detailed definition_
### PostOverflow
A postoverflow is a parser that will be applied on overflows (scenario results) before the decision is written to local DB or pushed to API. Parsers in postoverflows are meant to be used for "expensive" enrichment/parsing process that you do not want to perform on all incoming events, but rather on decision that are about to be taken.
An example could be slack/mattermost enrichment plugin that requires human confirmation before applying the decision or reverse-dns lookup operations.

204
docs/v0.3.X/docs/getting_started/crowdsec-tour.md
View file

@ -1,204 +0,0 @@
## List installed configurations
> List installed parsers/scenarios/collections/enricher
```bash
{{v0X.cli.bin}} list
```
On the machine where you deployed {{v0X.crowdsec.name}}, type `{{v0X.cli.bin}} list` to see deployed configurations.
This list represents the parsers, scenarios and/or collections that you deployed. They represent what your {{v0X.crowdsec.name}} setup can read (logs) and detect (scenarios).
Check [{{v0X.cli.name}} configuration](/Crowdsec/v0/guide/cscli/) management for more !
<details>
<summary>output example</summary>
```bash
bui@sd:~$ {{v0X.cli.bin}} list
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers
INFO[0000] PARSERS:
--------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------------------------------------------------------------------------------------
crowdsec/nginx-logs ✔️ enabled 0.3 /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
crowdsec/sshd-logs ✔️ enabled 0.3 /etc/crowdsec/config/parsers/s01-parse/sshd-logs.yaml
crowdsec/syslog-logs ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml
crowdsec/whitelists ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/whitelists.yaml
crowdsec/dateparse-enrich ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/dateparse-enrich.yaml
crowdsec/iptables-logs ✔️ enabled 0.3 /etc/crowdsec/config/parsers/s01-parse/iptables-logs.yaml
crowdsec/naxsi-logs ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/naxsi-logs.yaml
crowdsec/http-logs ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/http-logs.yaml
crowdsec/geoip-enrich ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/geoip-enrich.yaml
--------------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:
-----------------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------------------
crowdsec/http-crawl-non_statics ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/http-crawl-non_statics.yaml
crowdsec/iptables-scan-multi_ports ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/iptables-scan-multi_ports.yaml
crowdsec/http-scan-uniques_404 ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/http-scan-uniques_404.yaml
crowdsec/ssh-bf ✔️ enabled 0.8 /etc/crowdsec/config/scenarios/ssh-bf.yaml
-----------------------------------------------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:
-------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------------------------------------
crowdsec/base-http-scenarios ✔️ enabled 0.1 /etc/crowdsec/config/collections/base-http-scenarios.yaml
crowdsec/iptables ✔️ enabled 0.2 /etc/crowdsec/config/collections/iptables.yaml
crowdsec/nginx ✔️ enabled 0.2 /etc/crowdsec/config/collections/nginx.yaml
crowdsec/sshd ✔️ enabled 0.2 /etc/crowdsec/config/collections/sshd.yaml
crowdsec/linux ✔️ enabled 0.2 /etc/crowdsec/config/collections/linux.yaml
-------------------------------------------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:
--------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------
--------------------------------------
```
</details>
## Finding configurations
{{v0X.crowdsec.Name}} efficiency is dictated by installed parsers and scenarios, so [take a look at the {{v0X.hub.name}}]({{v0X.hub.url}}) to find the appropriated ones !
If you didn't perform the setup with the wizard, or if you are reading logs from other machines, you will have to pick the right {{v0X.collections.htmlname}}. This will ensure that {{v0X.crowdsec.name}} can parse the logs and has the corresponding scenarios.
For example, if you're processing [nginx](http://nginx.org) logs, you might want to install the [nginx collection](https://hub.crowdsec.net/author/crowdsecurity/collections/nginx).
A collection can be installed by typing `cscli install collection crowdsecurity/nginx`, and provides all the necessary parsers and scenarios to handle said log source. `systemctl reload crowdsec` to ensure the new scenarios are loaded.
In the same spirit, the [crowdsecurity/sshd](https://hub.crowdsec.net/author/crowdsecurity/collections/sshd)'s collection will fit most sshd setups !
While {{v0X.crowdsec.name}} is running, a quick look at [`cscli metrics`](/Crowdsec/v0/observability/command_line/) should help you ensure that your log sources are correctly parsed.
## List existing bans
> List current bans
```bash
{{v0X.cli.bin}} ban list
```
On the machine where you deployed {{v0X.crowdsec.name}}, type `{{v0X.cli.bin}} ban list` to see existing bans.
If you just deployed {{v0X.crowdsec.name}}, the list might be empty, but don't worry, it simply means you haven't yet been attacked, congrats!
Check [{{v0X.cli.name}} ban](/Crowdsec/v0/cheat_sheets/ban-mgmt/) management for more !
<details>
<summary>output example</summary>
```bash
bui@sd:~$ {{v0X.cli.bin}} ban list
7 local decisions:
+--------+----------------+--------------------------------+------+--------+---------+--------------------------------+--------+------------+
| SOURCE | IP | REASON | BANS | ACTION | COUNTRY | AS | EVENTS | EXPIRATION |
+--------+----------------+--------------------------------+------+--------+---------+--------------------------------+--------+------------+
| local | 103.218.xxx.xx | crowdsecurity/ssh-bf | 4 | ban | HK | 59077 Shanghai UCloud | 24 | 3h28m24s |
| | | | | | | Information Technology Company | | |
| | | | | | | Limited | | |
| local | 176.174.x.xx | crowdsecurity/ssh-bf | 11 | ban | FR | 5410 Bouygues Telecom SA | 66 | 2h48m6s |
| local | 37.49.xxx.xxx | crowdsecurity/ssh-bf | 4 | ban | NL | 0 | 37 | 2h16m35s |
| local | 37.49.xxx.xx | crowdsecurity/ssh-bf_user-enum | 5 | ban | NL | 0 | 59 | 2h16m21s |
| local | 92.246.xx.xxx | crowdsecurity/ssh-bf_user-enum | 2 | ban | | 0 | 12 | 1h42m2s |
| local | 23.237.x.xx | crowdsecurity/ssh-bf | 8 | ban | US | 174 Cogent Communications | 48 | 1h7m48s |
| local | 185.153.xxx.xx | crowdsecurity/ssh-bf_user-enum | 59 | ban | MD | 49877 RM Engineering LLC | 449 | 12m54s |
+--------+----------------+--------------------------------+------+--------+---------+--------------------------------+--------+------------+
And 64 records from API, 32 distinct AS, 19 distinct countries
```
</details>
There are different bans sources:
- local : bans triggered locally
- api : bans fetched from the API as part of the global consensus
- cli : bans added via `{{v0X.cli.bin}} ban add`
## Monitor on-going activity (prometheus)
> List metrics
```bash
{{v0X.cli.bin}} metrics
```
The metrics displayed are extracted from {{v0X.crowdsec.name}} prometheus.
The indicators are grouped by scope :
- Buckets : Know which buckets are created and/or overflew (scenario efficiency)
- Acquisition : Know which file produce logs and if thy are parsed (or end up in bucket)
- Parser : Know how frequently the individual parsers are triggered and their success rate
<details>
<summary>output example</summary>
```bash
bui@sd:~$ {{v0X.cli.bin}} metrics
INFO[0000] Buckets Metrics:
+---------------------------------+-----------+--------------+--------+---------+
| BUCKET | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
+---------------------------------+-----------+--------------+--------+---------+
| crowdsec/http-scan-uniques_404 | 69 | 77 | 424 | 8 |
| crowdsec/ssh-bf | 4 | 23 | 53 | 18 |
| crowdsec/ssh-bf_user-enum | - | 21 | 23 | 20 |
| crowdsec/http-crawl-non_statics | 9 | 14 | 425 | 5 |
+---------------------------------+-----------+--------------+--------+---------+
INFO[0000] Acquisition Metrics:
+------------------------------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+------------------------------------------+------------+--------------+----------------+------------------------+
| /var/log/nginx/error.log | 496 | 496 | - | - |
| /var/log/nginx/http.access.log | 472 | 465 | 7 | 847 |
| /var/log/nginx/https.access.log | 1 | 1 | - | 2 |
| /var/log/auth.log | 357 | 53 | 304 | 76 |
| /var/log/kern.log | 2292 | - | 2292 | - |
| /var/log/syslog | 2358 | - | 2358 | - |
+------------------------------------------+------------+--------------+----------------+------------------------+
INFO[0000] Parser Metrics:
+---------------------------+------+--------+----------+
| PARSERS | HITS | PARSED | UNPARSED |
+---------------------------+------+--------+----------+
| crowdsec/syslog-logs | 5007 | 5007 | 0 |
| crowdsec/whitelists | 1015 | 1015 | 0 |
| crowdsec/dateparse-enrich | 1015 | 1015 | 0 |
| crowdsec/geoip-enrich | 519 | 519 | 0 |
| crowdsec/http-logs | 962 | 427 | 535 |
| crowdsec/nginx-logs | 973 | 962 | 11 |
| crowdsec/non-syslog | 969 | 969 | 0 |
| crowdsec/sshd-logs | 350 | 53 | 297 |
+---------------------------+------+--------+----------+
```
</details>
## Monitor on-going activity (log files)
The {{v0X.crowdsec.main_log}} file will tell you what is going on and when an IP is blocked.
Check [{{v0X.crowdsec.name}} monitoring](/Crowdsec/v0/observability/overview/) for more !
<details>
<summary>output example</summary>
```bash
bui@sd:~$ tail -f /var/log/crowdsec-agent.log
time="14-04-2020 16:06:21" level=warning msg="40 existing LeakyRoutine"
time="14-04-2020 16:14:07" level=warning msg="1.2.3.4 triggered a 4h0m0s ip ban remediation for [crowdsec/ssh-bf]" bucket_id=throbbing-forest event_time="2020-04-14 16:14:07.215101505 +0200 CEST m=+359659.646220115" scenario=crowdsec/ssh-bf source_ip=1.2.3.4
time="14-04-2020 16:15:52" level=info msg="api push signal: token renewed. Pushing signals"
time="14-04-2020 16:15:53" level=info msg="api push signal: pushed 1 signals successfully"
time="14-04-2020 16:21:10" level=warning msg="18 existing LeakyRoutine"
time="14-04-2020 16:30:01" level=info msg="Flushed 1 expired entries from Ban Application"
time="14-04-2020 16:33:23" level=warning msg="33 existing LeakyRoutine"
time="14-04-2020 16:35:58" level=info msg="Flushed 1 expired entries from Ban Application"
```
</details>

83
docs/v0.3.X/docs/getting_started/installation.md
View file

@ -1,83 +0,0 @@
# Installation
Fetch {{v0X.crowdsec.name}}'s latest version [here]({{v0X.crowdsec.download_url}}).
```bash
tar xvzf crowdsec-release.tgz
```
```bash
cd crowdsec-v0.X.X
```
A {{v0X.wizard.name}} is provided to help you deploy {{v0X.crowdsec.name}} and {{v0X.cli.name}}.
## Using the interactive wizard
```
sudo {{v0X.wizard.bin}} -i
```
![crowdsec](../assets/images/crowdsec_install.gif)
The {{v0X.wizard.name}} is going to guide you through the following steps :
- detect services that are present on your machine
- detect selected services logs
- suggest collections (parsers and scenarios) to deploy
- deploy & configure {{v0X.crowdsec.name}} in order to watch selected logs for selected scenarios
The process should take less than a minute, [please report if there are any issues]({{v0X.wizard.bugreport}}).
You are then ready to [take a tour](/Crowdsec/v0/getting_started/crowdsec-tour/) of your freshly deployed {{v0X.crowdsec.name}} !
## Binary installation
> you of little faith
```
sudo {{v0X.wizard.bin}} --bininstall
```
This will deploy a valid/empty {{v0X.crowdsec.name}} configuration files and binaries.
Beware, in this state, {{v0X.crowdsec.name}} won't monitor/detect anything unless configured.
```
cscli install collection crowdsecurity/linux
```
Installing at least the `crowdsecurity/linux` collection will provide you :
- syslog parser
- geoip enrichment
- date parsers
You will need as well to configure your {{v0X.ref.acquis}} file to feed {{v0X.crowdsec.name}} some logs.
## From source
!!! warning "Requirements"
* [Go](https://golang.org/doc/install) v1.13+
* `git clone {{v0X.crowdsec.url}}`
* [jq](https://stedolan.github.io/jq/download/)
Go in {{v0X.crowdsec.name}} folder and build the binaries :
```bash
cd crowdsec
```
```bash
make build
```
{{v0X.crowdsec.name}} bin will be located in `./cmd/crowdsec/crowdsec` and {{v0X.cli.name}} bin in `cmd/crowdsec-cli/{{v0X.cli.bin}}`
Now, you can install either with [interactive wizard](#using-the-interactive-wizard) or the [unattended mode](#using-unattended-mode).

83
docs/v0.3.X/docs/guide/crowdsec/acquisition.md
View file

@ -1,83 +0,0 @@
!!! info
Please note that the `{{v0X.config.acquis_path}}` should be auto generated by the {{v0X.wizard.name}} in most case.
The acquisition configuration specifies lists of files to monitor and associated "labels".
The `type` label is mandatory as it's later used in the process to determine which parser(s) can handle lines coming from this source.
Acquisition can be found in `{{v0X.config.acquis_path}}`, for example :
<details>
<summary>Acquisition example</summary>
```yaml
filenames:
- /var/log/nginx/access-*.log
- /var/log/nginx/error.log
labels:
type: nginx
---
filenames:
- /var/log/auth.log
labels:
type: syslog
```
</details>
## Testing and viewing acquisition
### At startup
At startup, you will see the monitored files in `{{v0X.crowdsec.main_log}}` :
```
...
time="30-04-2020 08:57:25" level=info msg="Opening file '/var/log/nginx/http.access.log' (pattern:/var/log/nginx/http.access.log)"
time="30-04-2020 08:57:25" level=info msg="Opening file '/var/log/nginx/https.access.log' (pattern:/var/log/nginx/https.access.log)"
time="30-04-2020 08:57:25" level=info msg="Opening file '/var/log/nginx/error.log' (pattern:/var/log/nginx/error.log)"
time="30-04-2020 08:57:25" level=info msg="Opening file '/var/log/auth.log' (pattern:/var/log/auth.log)"
time="30-04-2020 08:57:25" level=info msg="Opening file '/var/log/syslog' (pattern:/var/log/syslog)"
time="30-04-2020 08:57:25" level=info msg="Opening file '/var/log/kern.log' (pattern:/var/log/kern.log)"
...
```
### At runtime
{{v0X.cli.name}} allows you to view {{v0X.crowdsec.name}} metrics info via the `metrics` command.
This allows you to see how many lines are coming from each source, and if they are parsed correctly.
You can see those metrics with the following command:
```
{{v0X.cli.bin}} metrics
```
<details>
<summary>{{v0X.cli.name}} metrics example</summary>
```bash
## {{v0X.cli.bin}} metrics
...
INFO[0000] Acquisition Metrics:
+------------------------------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+------------------------------------------+------------+--------------+----------------+------------------------+
| /var/log/nginx/http.access.log | 47 | 46 | 1 | 10 |
| /var/log/nginx/https.access.log | 25 | 25 | - | 18 |
| /var/log/kern.log | 297948 | 297948 | - | 69421 |
| /var/log/syslog | 303868 | 297947 | 5921 | 71539 |
| /var/log/auth.log | 63419 | 12896 | 50523 | 20463 |
| /var/log/nginx/error.log | 65 | 65 | - | - |
+------------------------------------------+------------+--------------+----------------+------------------------+
...
```
</details>
!!! info
All these metrics are actually coming from {{v0X.crowdsec.name}}'s prometheus agent. See [prometheus](/Crowdsec/v0/observability/prometheus/) directly for more insights.

21
docs/v0.3.X/docs/guide/crowdsec/enrichers.md
View file

@ -1,21 +0,0 @@
Enrichers are basically {{v0X.parsers.htmlname}} that can rely on external methods to provide extra contextual information to the event. The enrichers are usually in the `s02-enrich` {{v0X.stage.htmlname}} (after most of the parsing happened).
Enrichers functions should all accept a string as a parameter, and return an associative string array, that will be automatically merged into the `Enriched` map of the {{v0X.event.htmlname}}.
!!! warning
At the time of writing, enrichers plugin mechanism implementation is still ongoing (read: the list of available enrichment methods is currently hardcoded).
As an example let's look into the geoip-enrich parser/enricher :
It relies on [the geolite2 data created by maxmind](https://www.maxmind.com) and the [geoip2 golang module](https://github.com/oschwald/geoip2-golang) to provide the actual data.
It exposes three methods : `GeoIpCity` `GeoIpASN` and `IpToRange` that are used by the `crowdsecurity/geoip-enrich`.
Enrichers can be installed as any other parsers with the following command:
```
{{v0X.cli.bin}} install parser crowdsecurity/geoip-enrich
```
Take a tour at the {{v0X.hub.htmlname}} to find them !

142
docs/v0.3.X/docs/guide/crowdsec/overview.md
View file

@ -1,142 +0,0 @@
{{v0X.crowdsec.name}} configuration lives under `{{v0X.config.crowdsec_dir}}` and should be as :
## default.yaml
This is the 'main' configuration file, it allows to specify parameters such as :
- logging (level and media)
- directories (config, data, runtime)
- API flag (on/off)
- prometheus (on/off)
- etc.
<details>
<summary>Default configuration</summary>
```yaml
working_dir: /tmp/
data_dir: /var/lib/crowdsec/data
config_dir: /etc/crowdsec/config
pid_dir: /var/run
log_dir: /var/log/
log_mode: file
log_level: info
profiling: false
apimode: true
daemon: true
prometheus: true
#for prometheus agent / golang debugging
http_listen: 127.0.0.1:6060
plugin:
backend: "/etc/crowdsec/plugins/backend"
```
</details>
#### `working_dir:`
The working directory where Prometheus will write metrics in text file.
#### `data_dir:`
Directory where {{v0X.crowdsec.Name}} will install its data ({{v0X.crowdsec.Name}} database for example).
#### `pid_dir:`
To specify where {{v0X.crowdsec.Name}} PID file will be stored.
#### `config_dir:`
To specify where {{v0X.crowdsec.Name}} configuration will be stored.
#### `log_dir:`
To specify where the logs should be stored.
#### `log_mode:`
To specify your selected logging mode, available modes are :
* `file` : to write logs in a file
* `stdout` : to write logs in STDOUT
#### `log_level:`
To specify the logging level, available levels:
* `debug`
* `info`
* `warning`
* `error`
#### `profiling:`
To enable or disable the profiling in {{v0X.crowdsec.Name}}.
#### `apimode:`
To enable or disable signals sending to the {{v0X.api.htmlname}}.
#### `daemon:`
To enable or disable {{v0X.crowdsec.Name}} daemon mode.
#### `prometheus:`
To enable or disable Prometheus metrics.
### `prometheus_mode:`
If `prometheus` is enabled, and is set to `aggregated`, will restrict prometheus metrics to global ones. All metrics containing a source as a label will be unregistered. Meant to keep cardinality low when relevant.
#### `http_listen:`
To configure the Prometheus service listening `address:port` or {{v0X.crowdsec.Name}} profiling
#### `plugin:`
To specify the directories where {{v0X.ref.output}} plugins will be stored :
* `backend:` : the path where all {{v0X.crowdsec.Name}} backend plugins (database output, ...) will be located.
## acquis.yaml
This is the file that tells which streams (or files) {{v0X.crowdsec.name}} is reading, and their types (so that it knows how to parse them). If you're lucky, this file should be auto-generated by the wizard.
You can find details on the configuration file format [here](/Crowdsec/v0/guide/crowdsec/acquisition/).
## api.yaml
Name is self-explanatory : it holds API configuration.
This file should never be edited by a human : the wizard will deploy safe default for it, and {{v0X.cli.name}} will alter it on your behalf when you register or enroll your machine.
You can look into it, and you should see :
- url endpoints
- login and password (auto-generated by your machine upon registration)
To get new credentials :
```bash
{{v0X.cli.name}} api register
```
Or if you loose your credentials:
```bash
{{v0X.cli.name}} api reset
```
## profiles.yaml
The profiles is what allows you to decide how do you react when a scenario is triggered :
- do you notify yourself on mattermost/slack ?
- do you push the signal to a database so that your bouncers can stop the IP from continuing its attack ?
- do you want to avoid pushing this signal to the API ?
Behind the scenes, the "profiles" system actually allows you to dispatch an event/overflow to various output plugins.
You can find details on the configuration file format of {{v0X.ref.output}}.
## parsers/
This directory holds all the {{v0X.parsers.htmlname}} that are enabled on your system.
The parsers are organized in {{v0X.stage.htmlname}} (which are just folders) and the {{v0X.parsers.htmlname}} themselves are yaml files.
## scenarios/
This directory holds all the {{v0X.scenarios.htmlname}} that are enabled on your system.
The {{v0X.scenarios.htmlname}} are yaml files.

99
docs/v0.3.X/docs/guide/crowdsec/parsers.md
View file

@ -1,99 +0,0 @@
## Listing installed parsers
{{v0X.parsers.Htmlname}} are yaml files in `{{v0X.config.crowdsec_dir}}parsers/<STAGE>/parser.yaml`.
!!! info
Alphabetical file order dictates the order of {{v0X.stage.htmlname}} and the orders of parsers within stage.
You can use the following command to view installed parsers:
```
{{v0X.cli.bin}} list parsers
```
<details>
<summary>{{v0X.cli.name}} list example</summary>
```bash
# {{v0X.cli.name}} list parsers
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers
--------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------------------------------------------------------------------------------------
crowdsec/iptables-logs ✔️ enabled 0.3 /etc/crowdsec/config/parsers/s01-parse/iptables-logs.yaml
crowdsec/dateparse-enrich ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/dateparse-enrich.yaml
crowdsec/sshd-logs ✔️ enabled 0.3 /etc/crowdsec/config/parsers/s01-parse/sshd-logs.yaml
crowdsec/whitelists ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/whitelists.yaml
crowdsec/http-logs ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/http-logs.yaml
crowdsec/nginx-logs ✔️ enabled 0.3 /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
crowdsec/syslog-logs ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml
crowdsec/geoip-enrich ✔️ enabled 0.4 /etc/crowdsec/config/parsers/s02-enrich/geoip-enrich.yaml
--------------------------------------------------------------------------------------------------------------------
```
</details>
## Installing parsers
### From the hub
{{v0X.hub.htmlname}} allows you to find needed parsers.
```bash
# {{v0X.cli.name}} install parser crowdsec/nginx-logs
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers
INFO[0000] crowdsec/nginx-logs : OK
INFO[0000] Enabled parsers : crowdsec/nginx-logs
INFO[0000] Enabled crowdsec/nginx-logs
# systemctl reload crowdsec
```
### Your own parsers
[Write your parser configuration](/Crowdsec/v0/write_configurations/parsers/) and deploy yaml file in `{{v0X.config.crowdsec_dir}}parsers/<STAGE>/`.
## Monitoring parsers behavior
{{v0X.cli.name}} allows you to view {{v0X.crowdsec.name}} metrics info via the `metrics` command.
This allows you to see how many logs were ingested and then parsed or unparsed by said parser.
You can see those metrics with the following command:
```
cscli metrics
```
<details>
<summary>{{v0X.cli.name}} metrics example</summary>
```bash
# {{v0X.cli.name}} metrics
...
INFO[0000] Parser Metrics:
+---------------------------+--------+--------+----------+
| PARSERS | HITS | PARSED | UNPARSED |
+---------------------------+--------+--------+----------+
| crowdsec/sshd-logs | 62424 | 12922 | 49502 |
| crowdsec/syslog-logs | 667417 | 667417 | 0 |
| crowdsec/whitelists | 610901 | 610901 | 0 |
| crowdsec/http-logs | 136 | 21 | 115 |
| crowdsec/iptables-logs | 597843 | 597843 | 0 |
| crowdsec/nginx-logs | 137 | 136 | 1 |
| crowdsec/dateparse-enrich | 610901 | 610901 | 0 |
| crowdsec/geoip-enrich | 610836 | 610836 | 0 |
| crowdsec/non-syslog | 137 | 137 | 0 |
+---------------------------+--------+--------+----------+
```
</details>
## Going further
If you're interested into [understanding how parsers are made](/Crowdsec/v0/references/parsers/) or writing your own, please have a look at [this page](/Crowdsec/v0/write_configurations/parsers/).

90
docs/v0.3.X/docs/guide/crowdsec/scenarios.md
View file

@ -1,90 +0,0 @@
Scenarios are yaml files that define "buckets".
Most of the scenarios currently rely on the [leaky bucket](https://en.wikipedia.org/wiki/Leaky_bucket) concept.
Scenarios lead to the instantiation, and sometime the overflow, of buckets.
When a bucket "overflows", the scenario is considered as having been realized.
This event leads to the creation of a new {{v0X.event.htmlname}} that describes the scenario that just happened (via a {{v0X.signal.htmlname}}).
## Listing installed scenarios
scenarios are yaml files in `{{v0X.config.crowdsec_dir}}scenarios/<scenario>.yaml`.
You can view installed scenarios with the following command:
```
{{v0X.cli.bin}} list scenarios
```
<details>
<summary>{{v0X.cli.name}} list example</summary>
```bash
# {{v0X.cli.name}} list scenarios
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers
-----------------------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------------------
crowdsec/http-scan-uniques_404 ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/http-scan-uniques_404.yaml
crowdsec/ssh-bf ✔️ enabled 0.8 /etc/crowdsec/config/scenarios/ssh-bf.yaml
crowdsec/http-crawl-non_statics ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/http-crawl-non_statics.yaml
crowdsec/iptables-scan-multi_ports ✔️ enabled 0.4 /etc/crowdsec/config/scenarios/iptables-scan-multi_ports.yaml
-----------------------------------------------------------------------------------------------------------------------------
```
</details>
## Installing scenarios
### From the hub
{{v0X.hub.htmlname}} allows you to find needed scenarios.
```bash
# {{v0X.cli.name}} install scenario crowdsec/ssh-bf
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers
INFO[0000] crowdsec/ssh-bf : OK
INFO[0000] Enabled scenarios : crowdsec/ssh-bf
INFO[0000] Enabled crowdsec/ssh-bf
# systemctl reload crowdsec
```
### Your own scenarios
[Write your scenario configuration](/Crowdsec/v0/write_configurations/scenarios/) and deploy yaml file in `{{v0X.config.crowdsec_dir}}scenarios/<scenario.yaml>`.
## Monitoring scenarios behavior
{{v0X.cli.name}} allows you to view {{v0X.crowdsec.name}} metrics info via the `metrics` command.
This allows you to see how many "buckets" associated to each scenario have been created (an event eligible from said scenario has arrived), poured (how many subsequent events have been pushed to said bucket), overflowed (the scenario happened) or underflow (there was not enough event to make the bucket overflow, and it thus expired after a while).
You can see those metrics with the following command:
```
{{v0X.cli.bin}} metrics
```
<details>
<summary>{{v0X.cli.name}} metrics example</summary>
```bash
# {{v0X.cli.name}} metrics
INFO[0000] Buckets Metrics:
+------------------------------------+-----------+--------------+--------+---------+
| BUCKET | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
+------------------------------------+-----------+--------------+--------+---------+
| crowdsec/http-crawl-non_statics | - | 9 | 14 | 9 |
| crowdsec/http-scan-uniques_404 | - | 11 | 14 | 11 |
| crowdsec/iptables-scan-multi_ports | 13 | 125681 | 141601 | 125650 |
| crowdsec/ssh-bf | 669 | 3721 | 12925 | 3046 |
| crowdsec/ssh-bf_user-enum | 136 | 4093 | 7587 | 3956 |
+------------------------------------+-----------+--------------+--------+---------+
```
</details>

Some files were not shown because too many files have changed in this diff Show more