Skip to content

Acquisition format

The /etc/crowdsec/acquis.yaml defines which files are read by crowdsec at runtime. The file is a list of object representing groups of files to read, with the following properties.

A least one of :

  • filename: a string representing the path to a file (globbing supported)
  • filenames: a list of string represent paths to files (globbing supported)
  • journalctl_filter: a list of string passed as arguments to journalctl

And a labels object with a field type indicating the log's type :

filenames:
  - /var/log/nginx/access-*.log
  - /var/log/nginx/error.log
labels:
  type: nginx
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
journalctl_filter:
 - "_SYSTEMD_UNIT=ssh.service"
labels:
  type: syslog

The labels.type is important as it is what will determine which parser will try to process the logs.

The log won't be processed by the syslog parser if its type is not syslog :

$ cat /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml 
filter: "evt.Line.Labels.type == 'syslog'"
...

On the other hand, nginx tends to write its own logs without using syslog :

$ cat /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml 
filter: "evt.Parsed.program startsWith 'nginx'"
...

If for example your nginx was logging via syslog, you need to set its labels.type to syslog so that it's first parsed by the syslog parser, and then by the nginx parser (notice they are in different stages).