Skip to content

Configuration Management

allows you install, list, upgrade and remove configurations : parsers, enrichment, scenarios.

Warning

If you're not running the latest CrowdSec version, configurations might not be the latest available. cscli will use the branch of the corresponding CrowdSec version to download and install configurations from the hub (it will use the master branch if you are on the latest CrowdSec version).

The various parsers, enrichers and scenarios installed on your machine makes a coherent ensemble to provide detection capabilities.

Parsers, Scenarios and Enrichers are often bundled together in "collections" to facilitate configuration.

Parsers, scenarios, enrichers and collections all follow the same principle :

  • install parser crowdsec/nginx-logs
  • update collection crowdsec/base-http-scenarios
  • remove scenario crowdsec/mysql-bf

Please see your local help for up-to-date documentation

List configurations

 list

note -a allows for listing of uninstalled configurations as well

cscli list example 
$  list
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers 
INFO[0000] PARSERS:                                     
--------------------------------------------------------------------------------------------------------------------
 NAME                       📦 STATUS    VERSION  LOCAL PATH                                                        
--------------------------------------------------------------------------------------------------------------------
 crowdsec/nginx-logs        ✔️  enabled  0.3      /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml        
 crowdsec/geoip-enrich      ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/geoip-enrich.yaml     
 crowdsec/syslog-logs       ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml         
 crowdsec/whitelists        ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/whitelists.yaml       
 crowdsec/http-logs         ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/http-logs.yaml        
 crowdsec/dateparse-enrich  ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/dateparse-enrich.yaml 
--------------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:                                   
-----------------------------------------------------------------------------------------------------------------------
 NAME                             📦 STATUS    VERSION  LOCAL PATH                                                     
-----------------------------------------------------------------------------------------------------------------------
 crowdsec/http-scan-uniques_404   ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-scan-uniques_404.yaml  
 crowdsec/http-crawl-non_statics  ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-crawl-non_statics.yaml 
-----------------------------------------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:                                 
-------------------------------------------------------------------------------------------------------------------
 NAME                          📦 STATUS    VERSION  LOCAL PATH                                                    
-------------------------------------------------------------------------------------------------------------------
 crowdsec/linux                ✔️  enabled  0.2      /etc/crowdsec/config/collections/linux.yaml               
 crowdsec/nginx                ✔️  enabled  0.2      /etc/crowdsec/config/collections/nginx.yaml               
 crowdsec/base-http-scenarios  ✔️  enabled  0.1      /etc/crowdsec/config/collections/base-http-scenarios.yaml 
-------------------------------------------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:                               
--------------------------------------
 NAME  📦 STATUS  VERSION  LOCAL PATH 
--------------------------------------
--------------------------------------

For parsers, scenarios, collections the outputs include, beside the version, the path and the name, a STATUS column :

  • ✔️ enabled : configuration is up-to-date
  • ⚠️ enabled,outdated : a newer version is available
  • 🚫 enabled,local : configuration is not managed by cscli
  • ⚠️ enabled,tainted : configuration has been locally modified

(see cscli upgrade to upgrade/sync your configurations with Crowdsec Hub)

Install new configurations

install parser|scenario|postoverflow <name> [--force]

  • install parser crowdsec/nginx-logs
  • install scenario crowdsec/http-scan-uniques_404

Remove configurations

remove parser|scenario|postoverflow <name> [--force]

Upgrade configurations

upgrade a specific scenario

 upgrade scenario crowdsec/http-scan-uniques_404

upgrade all scenarios

 upgrade scenario --all

upgrade all configurations (parsers, scenarios, collections, postoverflows)

 upgrade --all