beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
crowdsec/docs/references/output.md
erenJag 4f9d252a15
Add the documentation into crowdsec repo (#3) 
Add the documentation into crowdsec repo
2020-05-15 16:58:24 +02:00

2.3 KiB
Raw Blame History

Output

The output mechanism is composed of plugins. In order to store the bans for {{blockers.htmlname}}, at least one backend plugin must be loaded. Else, bans will not be stored and decisions cannot be applied.

Please see here for the available backend plugin.

In order to filter which signals will be sent to which plugin, {{crowdsec.name}} use a system of profile that can allow to granularly process your bans and signals.

Profile

Here is a sample of a profile configuration:

profile: <profile_name>
filter: "<filter_expression>"
api: true # default true : send signal to crowdsec API
outputs:  # here choose your output plugins for this profile
    - plugin: plugin1
      custom_config: <config>
    - plugin: plugin2

The default configuration that is deployed with {{crowdsec.name}} is the following one:

profile: default_remediation
filter: "sig.Labels.remediation == 'true'"
api: true # If no api: specified, will use the default config in default.yaml
remediation:
  ban: true
  slow: true
  captcha: true
  duration: 4h
outputs:
  - plugin: sqlite
---
profile: default_notification
filter: "sig.Labels.remediation != 'true'"
#remediation is empty, it means non taken
api: false
outputs:
  - plugin: sqlite  # If we do not want to push, we can remove this line and the next one
    store: false

Here we can use {{filter.htmlname}} like in parsers and scenarios with the {{signal.htmlname}} object to choose which signal will be process by which plugin.

Plugins

Plugins configuration file are stored in {{plugins.configpath}}. {{crowdsec.name}} will scan this folder to load all the plugins. Each configuration file should provide the path to the plugin binary. By default they are stored in {{plugins.binpath}}.

!!! info If you want crowdsec to not load a plugin, mv or rm its configuration file in {{plugins.configpath}}

Here is a sample of a plugin configuration file stored in {{plugins.configpath}}:

name: <plugin_name>
path: <path_to_plugin_binary> # 
config: <plugin_config> # in a form of key(string)/value(string)

For the plugin sqlite, here is its configuration file:

name: sqlite
path: /var/lib/crowdsec/plugins/backend/sqlite.so
config:
  db_path: /var/lib/crowdsec/data/crowdsec.db
  flush: true