Crowdsec Tour
List installed configurations¶
sudo cscli hub list
On the machine where you deployed crowdsec-agent, type sudo cscli hub list to see install configurations.
This list represents the parsers, scenarios and/or collections that you deployed. They represent what your crowdsec-agent setup can read (logs) and detect (scenarios). sudo cscli hub list -a will list all available configurations in the hub.
Check cscli configuration management for more !
output example
$ sudo cscli hub list
INFO[0000] Loaded 13 collecs, 17 parsers, 21 scenarios, 3 post-overflow parsers
INFO[0000] unmanaged items : 23 local, 0 tainted
INFO[0000] PARSERS:
--------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------------------------------------------------------------------------------
crowdsecurity/mysql-logs ✔️ enabled 0.1 /etc/crowdsec/parsers/s01-parse/mysql-logs.yaml
crowdsecurity/sshd-logs ✔️ enabled 0.1 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
crowdsecurity/dateparse-enrich ✔️ enabled 0.1 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
crowdsecurity/whitelists ✔️ enabled 0.1 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
crowdsecurity/geoip-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
crowdsecurity/syslog-logs ✔️ enabled 0.1 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
--------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:
-------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-------------------------------------------------------------------------------------
crowdsecurity/mysql-bf ✔️ enabled 0.1 /etc/crowdsec/scenarios/mysql-bf.yaml
crowdsecurity/ssh-bf ✔️ enabled 0.1 /etc/crowdsec/scenarios/ssh-bf.yaml
-------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:
---------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
---------------------------------------------------------------------------------
crowdsecurity/mysql ✔️ enabled 0.1 /etc/crowdsec/collections/mysql.yaml
crowdsecurity/sshd ✔️ enabled 0.1 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
---------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:
--------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
--------------------------------------
--------------------------------------
List active decisions¶
sudo cscli decisions list
If you just deployed crowdsec-agent, the list might be empty, but don't worry, it simply means you haven't yet been attacked, congrats!
Check cscli decisions management for more !
output example
$ sudo cscli decisions list
+-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
+-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+
| 802 | cscli | Ip:1.2.3.5 | manual 'ban' from | ban | | | 1 | 3h50m58.10039043s | 802 |
| | | | 'b76cc7b1bbdc489e93909d2043031de8' | | | | | | |
| 801 | crowdsec | Ip:1.2.3.4 | crowdsecurity/ssh-bf | ban | | | 6 | 3h59m45.100387557s | 801 |
+-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+
There are different decisions SOURCE:
- crowdsec : decisions triggered locally by the crowdsec agent
- CAPI : decisions fetched from the Crowdsec Central API
- csli : decisions added via
sudo cscli decisions add
List alerts¶
sudo cscli alerts list
While decisions won't be shown anymore once they expire (or are manually deleted), the alerts will stay visible, allowing you to keep track of past decisions. You will here see the alerts, even if the associated decisions expired.
output example
$ sudo cscli alerts list --since 1h
+----+-------------+----------------------------+---------+----+-----------+---------------------------+
| ID | SCOPE:VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT |
+----+-------------+----------------------------+---------+----+-----------+---------------------------+
| 5 | Ip:1.2.3.6 | crowdsecurity/ssh-bf (0.1) | US | | ban:1 | 2020-10-29T11:33:36+01:00 |
+----+-------------+----------------------------+---------+----+-----------+---------------------------+
Monitor on-going activity (prometheus)¶
sudo cscli metrics
The metrics displayed are extracted from crowdsec-agent prometheus. The indicators are grouped by scope :
- Buckets : Know which buckets are created and/or overflew (scenario efficiency)
- Acquisition : Know which file produce logs and if thy are parsed (or end up in bucket)
- Parser : Know how frequently the individual parsers are triggered and their success rate
- Local Api Metrics : Know how often each endpoint of crowdsec's local API has been used
output example
$ sudo cscli metrics
INFO[0000] Buckets Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| BUCKET | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-bad-user-agent | - | - | 7 | 7 | 7 |
| crowdsecurity/http-crawl-non_statics | - | - | 82 | 107 | 82 |
| crowdsecurity/http-probing | - | - | 2 | 2 | 2 |
| crowdsecurity/http-sensitive-files | - | - | 1 | 1 | 1 |
| crowdsecurity/ssh-bf | 16 | 5562 | 7788 | 41542 | 2210 |
| crowdsecurity/ssh-bf_user-enum | 8 | - | 6679 | 12571 | 6671 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[0000] Acquisition Metrics:
+---------------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+---------------------------+------------+--------------+----------------+------------------------+
| /var/log/auth.log | 92978 | 41542 | 51436 | 54113 |
| /var/log/messages | 2 | - | 2 | - |
| /var/log/nginx/access.log | 124 | 99 | 25 | 88 |
| /var/log/nginx/error.log | 287 | 63 | 224 | 29 |
| /var/log/syslog | 27271 | - | 27271 | - |
+---------------------------+------------+--------------+----------------+------------------------+
INFO[0000] Parser Metrics:
+--------------------------------+--------+--------+----------+
| PARSERS | HITS | PARSED | UNPARSED |
+--------------------------------+--------+--------+----------+
| child-crowdsecurity/http-logs | 486 | 232 | 254 |
| child-crowdsecurity/nginx-logs | 723 | 162 | 561 |
| child-crowdsecurity/sshd-logs | 381792 | 41542 | 340250 |
| crowdsecurity/dateparse-enrich | 41704 | 41704 | - |
| crowdsecurity/geoip-enrich | 41641 | 41641 | - |
| crowdsecurity/http-logs | 162 | 59 | 103 |
| crowdsecurity/nginx-logs | 411 | 162 | 249 |
| crowdsecurity/non-syslog | 411 | 411 | - |
| crowdsecurity/sshd-logs | 92126 | 41542 | 50584 |
| crowdsecurity/syslog-logs | 120251 | 120249 | 2 |
| crowdsecurity/whitelists | 41704 | 41704 | - |
+--------------------------------+--------+--------+----------+
INFO[0000] Local Api Metrics:
+----------------------+--------+------+
| ROUTE | METHOD | HITS |
+----------------------+--------+------+
| /v1/alerts | GET | 3 |
| /v1/alerts | POST | 4673 |
| /v1/decisions/stream | GET | 6498 |
| /v1/watchers/login | POST | 23 |
+----------------------+--------+------+
INFO[0000] Local Api Machines Metrics:
+----------------------------------+------------+--------+------+
| MACHINE | ROUTE | METHOD | HITS |
+----------------------------------+------------+--------+------+
| 7f0607a3469243139699bf2f30321fc4 | /v1/alerts | POST | 4673 |
| 7f0607a3469243139699bf2f30321fc4 | /v1/alerts | GET | 3 |
+----------------------------------+------------+--------+------+
INFO[0000] Local Api Bouncers Metrics:
+------------------------------+----------------------+--------+------+
| BOUNCER | ROUTE | METHOD | HITS |
+------------------------------+----------------------+--------+------+
| cs-firewall-bouncer-n3W19Qua | /v1/decisions/stream | GET | 6498 |
+------------------------------+----------------------+--------+------+
Deploy dashboard¶
sudo cscli dashboard setup --listen 0.0.0.0
A docker metabase container can be deployed with cscli dashboard.
It requires docker, installation instructions are available here.
Logs¶
sudo tail -f /var/log/crowdsec.log
/var/log/crowdsec.logis the main log, it shows ongoing decisions and acquisition/parsing/scenario errors./var/log/crowdsec_api.logis the access log of the local api (LAPI)
Installing collections¶
sudo cscli collections install crowdsecurity/nginx
Collections are bundles of parsers/scenarios that form a coherent ensemble to analyze/detect attacks for a specific service. It is the most common way to deploy configurations.
They can be found and browsed on the Crowdsec Hub