beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
crowdsec/docs/cheat_sheets/config-mgmt.md
AlteredCoder b7286d6a85
make cscli use crowdsec version for hub (#194)
2020-09-01 14:32:45 +02:00

5.4 KiB
Raw Blame History

{{cli.bin}} allows you install, list, upgrade and remove configurations : parsers, enrichment, scenarios.

!!! warning If you're not running the latest CrowdSec version, configurations might not be the latest available. cscli will use the branch of the corresponding CrowdSec version to download and install configurations from the hub (it will use the master branch if you are on the latest CrowdSec version).

The various parsers, enrichers and scenarios installed on your machine makes a coherent ensemble to provide detection capabilities.

Parsers, Scenarios and Enrichers are often bundled together in "collections" to facilitate configuration.

Parsers, scenarios, enrichers and collections all follow the same principle :

  • {{cli.bin}} install parser crowdsec/nginx-logs
  • {{cli.bin}} update collection crowdsec/base-http-scenarios
  • {{cli.bin}} remove scenario crowdsec/mysql-bf

Please see your local {{cli.bin}} help for up-to-date documentation

List configurations

{{cli.bin}} list

note -a allows for listing of uninstalled configurations as well

{{cli.name}} list example 
$ {{cli.bin}} list
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers 
INFO[0000] PARSERS:                                     
--------------------------------------------------------------------------------------------------------------------
 NAME                       📦 STATUS    VERSION  LOCAL PATH                                                        
--------------------------------------------------------------------------------------------------------------------
 crowdsec/nginx-logs        ✔️  enabled  0.3      /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml        
 crowdsec/geoip-enrich      ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/geoip-enrich.yaml     
 crowdsec/syslog-logs       ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml         
 crowdsec/whitelists        ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/whitelists.yaml       
 crowdsec/http-logs         ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/http-logs.yaml        
 crowdsec/dateparse-enrich  ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/dateparse-enrich.yaml 
--------------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:                                   
-----------------------------------------------------------------------------------------------------------------------
 NAME                             📦 STATUS    VERSION  LOCAL PATH                                                     
-----------------------------------------------------------------------------------------------------------------------
 crowdsec/http-scan-uniques_404   ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-scan-uniques_404.yaml  
 crowdsec/http-crawl-non_statics  ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-crawl-non_statics.yaml 
-----------------------------------------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:                                 
-------------------------------------------------------------------------------------------------------------------
 NAME                          📦 STATUS    VERSION  LOCAL PATH                                                    
-------------------------------------------------------------------------------------------------------------------
 crowdsec/linux                ✔️  enabled  0.2      /etc/crowdsec/config/collections/linux.yaml               
 crowdsec/nginx                ✔️  enabled  0.2      /etc/crowdsec/config/collections/nginx.yaml               
 crowdsec/base-http-scenarios  ✔️  enabled  0.1      /etc/crowdsec/config/collections/base-http-scenarios.yaml 
-------------------------------------------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:                               
--------------------------------------
 NAME  📦 STATUS  VERSION  LOCAL PATH 
--------------------------------------
--------------------------------------

For {{parsers.htmlname}}, {{scenarios.htmlname}}, {{collections.htmlname}} the outputs include, beside the version, the path and the name, a STATUS column :

  • ✔️ enabled : configuration is up-to-date
  • ⚠️ enabled,outdated : a newer version is available
  • 🚫 enabled,local : configuration is not managed by {{cli.name}}
  • ⚠️ enabled,tainted : configuration has been locally modified

(see {{cli.name}} upgrade to upgrade/sync your configurations with {{hub.htmlname}})

Install new configurations

{{cli.bin}} install parser|scenario|postoverflow <name> [--force]

  • {{cli.bin}} install parser crowdsec/nginx-logs
  • {{cli.bin}} install scenario crowdsec/http-scan-uniques_404

Remove configurations

{{cli.bin}} remove parser|scenario|postoverflow <name> [--force]

Upgrade configurations

upgrade a specific scenario

{{cli.bin}} upgrade scenario crowdsec/http-scan-uniques_404

upgrade all scenarios

{{cli.bin}} upgrade scenario --all

upgrade all configurations (parsers, scenarios, collections, postoverflows)

{{cli.bin}} upgrade --all