beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
crowdsec/docs/write_configurations/acquisition.md
Thibault "bui" Koechlin 1533e7e83c
improve acquisition doc (#303)
2020-10-12 10:09:45 +02:00

2.3 KiB
Raw Blame History

What is acquisition

Acquisition configuration (/etc/crowdsec/config/acquis.yaml) defines what log files are read by {{crowdsec.name}}. As log files determines what {{crowdsec.name}} can detect, it is a simple yet crucial part of the configuration.

This acquisition.yaml file is composed of sections that look like this :

filename: /var/log/myservice/foobar.log
labels:
  type: myservice
---
filenames:
  - /var/log/myservice/*.log
  - /var/log/something/else.log
labels:
  type: myservice

Each section indicate :

  • path(s) to a log file (or a regular expression for globing)
  • label(s) indicating the log's type

While the path(s) is straightforward, the labels->type will depend on log's format. If you're using syslog format, labels->type can simply be set to syslog, as it contains the program name itself. If your logs are written directly by a daemon (ie. nginx) with its own format, it must be set accordingly to the parser : nginx for nginx etc.

If you don't know to which value you need to set the labels->type. First check if logs are written in syslog format (it's the case for a lot of services on linux) : in this case simply set it to syslog. If the service - and only if - the service write its own logs, have a look at the associated parser :

$ head /etc/crowdsec/config/parsers/s01-parse/mysql-logs.yaml 
...
#labels->type must be set to 'mysql'
filter: "evt.Parsed.program == 'mysql'"
...

!!! warning Properly picking the log type is crucial. If the labels->type is wrong, your logs won't be parsed and thus will be discarded. You can see if your logs are parsed from cscli metrics.

---
filename: <PATH_TO_YOUR_LOG_FILE>
labels:
  type: <PROGRAM_NAME>

Here are some examples:

Nginx acquisition 
---
filename: /var/log/nginx/*.log
labels:
  type: nginx
sshd acquisition 
#Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
mysql acquisition 
#Generated acquisition file - wizard.sh (service: mysql) / files : /var/log/mysql/error.log
filenames:
  - /var/log/mysql/error.log
labels:
  type: mysql