You can install crowdsec in different ways :
- Most users set up crowdsec's repositories and install from them, for ease of installation and upgrade
- Some users use debian's official crowdsec packages
- Some users download the DEB package directly and install it manually
- Some users download the tarball directly and install it manually
- Some users use the docker hub image
- And the most adventurous might want to build & install from source
- And some might even want to build their own docker image
- Or use it with docker-compose
Packaging for FreeBSD and RedHat/CentOS are WIP at the time of writing. Documentation will be updated once those packages are published & functional.
Crowdsec agent itself is rather light, and in a small to medium setup should use less than 100Mb of memory. During intensive logs processing, CPU is going to be the most used resource, and memory usage shouldn't really grow.
Install using crowdsec repository¶
Crowdsec distributes their own pragmatic debian packages that closely follow the development stream (packages are automatically published on release), and are suitable for those that want to keep up with the latest changes of crowdsec.
setup the repository¶
wget -qO - https://s3-eu-west-1.amazonaws.com/crowdsec.debian.pragmatic/crowdsec.asc |sudo apt-key add - && echo "deb https://s3-eu-west-1.amazonaws.com/crowdsec.debian.pragmatic/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/crowdsec.list > /dev/null sudo apt-get update
The following debian suites / architectures are available :
|bionic||amd64, arm64, i386|
|buster||amd64, arm64, i386|
|focal||amd64, arm64, i386|
|stretch||amd64, arm64, i386|
|xenial||amd64, arm64, i386|
sudo apt-get install crowdsec
Manually install the debian package¶
Fetch your package from the public repository, and install it manually :
sudo dpkg -i ./crowdsec_1.0.7-4_amd64.deb
Install using debian official packages¶
Crowdsec is available for bullseye & sid and can be installed simply :
sudo apt-get install crowdsec
Install from the release tarball¶
Fetch crowdsec-agent's latest version here.
tar xvzf crowdsec-release.tgz
A wizard is provided to help you deploy crowdsec-agent and cscli.
Using the interactive wizard¶
sudo ./wizard.sh -i
The wizard is going to guide you through the following steps :
- detect services that are present on your machine
- detect selected services logs
- suggest collections (parsers and scenarios) to deploy
- deploy & configure crowdsec-agent in order to watch selected logs for selected scenarios
The process should take less than a minute, please report if there are any issues.
You are then ready to take a tour of your freshly deployed crowdsec-agent !
Keep in mind the crowdsec-agent is only in charge of the "detection", and won't block anything on its own. You need to deploy a bouncers to "apply" decisions.
you of little faith
sudo ./wizard.sh --bininstall
This will only deploy the binaries, and some extra installation steps need to be completed for the software to be functional :
sudo cscli hub update: update the hub index
sudo cscli machines add -a: register crowdsec to the local API
sudo cscli capi register: register to the central API
sudo cscli collections install crowdsecurity/linux: install essential configs (syslog parser, geoip enrichment, date parsers)
- configure your sources in your acquisition :
You can now start & enable the crowdsec service :
sudo systemctl start crowdsec
sudo systemctl enable crowdsec
Using the unattended wizard¶
If your setup is standard and you've walked through the default installation without issues, you can win some time in case you need to perform a new install :
sudo ./wizard.sh --unattended
This mode will emulate the interactive mode of the wizard where you answer yes to everything and stick with the default options.
Install from source¶
Go in crowdsec-agent folder and build the binaries :
cd crowdsec make release
This will create you a directory (
crowdsec-vXXX/) and an archive (
crowdsec-release.tgz) that are release built from your local code source.
Build docker image¶
Crowdsec provides a docker image and can simply built like this :
git clone https://github.com/crowdsecurity/crowdsec.git && cd crowdsec docker build -t crowdsec .