Crowdsec configuration¶
Crowdsec-agent has a main yaml
configuration file, usually located in /etc/crowdsec/config.yaml
.
Configuration example¶
Default configuration
common:
daemonize: true
pid_dir: /var/run/
log_media: file
log_level: info
log_dir: /var/log/
working_dir: .
config_paths:
config_dir: /etc/crowdsec/
data_dir: /var/lib/crowdsec/data/
simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json
crowdsec_service:
acquisition_path: /etc/crowdsec/acquis.yaml
parser_routines: 1
buckets_routines: 1
output_routines: 1
cscli:
output: human
hub_branch: wip_lapi
db_config:
log_level: info
type: sqlite
db_path: /var/lib/crowdsec/data/crowdsec.db
#user:
#password:
#db_name:
#host:
#port:
flush:
max_items: 5000
max_age: 7d
api:
client:
insecure_skip_verify: true
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 127.0.0.1:8080
profiles_path: /etc/crowdsec/profiles.yaml
online_client: # Crowdsec API
credentials_path: /etc/crowdsec/online_api_credentials.yaml
# tls:
# cert_file: /etc/crowdsec/ssl/cert.pem
# key_file: /etc/crowdsec/ssl/key.pem
prometheus:
enabled: true
level: full
listen_addr: 127.0.0.1
listen_port: 6060
Configuration format¶
common:
daemonize: (true|false)
pid_dir: <path_to_pid_folder>
log_media: (file|stdout)
log_level: (error|info|debug|trace)
log_dir: <path_to_log_folder>
working_dir: <path_to_working_folder>
config_paths:
config_dir: <path_to_crowdsec_config_folder>
data_dir: <path_to_crowdsec_data_folder>
simulation_path: <path_to_simulation_file>
hub_dir: <path_to_crowdsec_hub_folder>
index_path: <path_to_hub_index_file>
crowdsec_service:
acquisition_path: <acqusition_file_path>
parser_routines: <number_of_parser_routines>
buckets_routines: <number_of_buckets_routines>
output_routines: <number_of_output_routines>
cscli:
output: (human|json|raw)
hub_branch: <hub_branch>
db_config:
type: <db_type>
db_path: <path_to_database_file>
user: <db_user> # for mysql/pgsql
password: <db_password> # for mysql/pgsql
db_name: <db_name> # for mysql/pgsql
host: <db_host_ip> # for mysql/pgsql
port: <db_host_port> # for mysql/pgsql
flush:
max_items: <max_alerts_in_db>
max_age: <max_age_of_alerts_in_db>
api:
client:
insecure_skip_verify: (true|false)
credentials_path: <path_to_local_api_client_credential_file>
server:
log_level: (error|info|debug|trace>)
listen_uri: <listen_uri> # host:port
profiles_path: <path_to_profile_file>
online_client:
credentials_path: <path_to_crowdsec_api_client_credential_file>
tls:
cert_file: <path_to_certificat_file>
key_file: <path_to_certificat_key_file>
prometheus:
enabled: (true|false)
level: (full|aggregated)
listen_addr: <listen_address>
listen_port: <listen_port>
Configuration directives¶
common
¶
common:
daemonize: (true|false)
pid_dir: <path_to_pid_folder>
log_media: (file|stdout)
log_level: (error|info|debug|trace)
log_dir: <path_to_log_folder>
working_dir: <path_to_working_folder>
daemonize
¶
bool
Daemonize or not the crowdsec daemon.
pid_dir
¶
string
Folder to store PID file.
log_media
¶
string
Log media. Can be stdout
or file
.
log_level
¶
string
Log level. Can be error
, info
, debug
, trace
.
log_folder
¶
string
Folder to write log file.
Warning
Works only with log_media = file
.
working_dir
¶
string
Current working directory.
config_paths
¶
This section contains most paths to various sub configuration items.
config_paths:
config_dir: <path_to_crowdsec_config_folder>
data_dir: <path_to_crowdsec_data_folder>
simulation_path: <path_to_simulation_file>
hub_dir: <path_to_crowdsec_hub_folder>
index_path: <path_to_hub_index_file>
config_dir
¶
string
The main configuration directory of crowdsec.
data_dir
¶
string
This is where crowdsec is going to store data, such as files downloaded by scenarios, geolocalisation database, metabase configuration database, or even SQLite database.
simulation_path
¶
string
The path to the profiles configuration.
hub_dir
¶
string
The directory where cscli
will store parsers, scenarios, collections and such.
index_path
¶
string
Tath to the .index.json
file downloaded by cscli
to know the list of available configurations.
crowdsec_service
¶
This section is only used by crowdsec agent.
crowdsec_service:
acquisition_path: <acqusition_file_path>
parser_routines: <number_of_parser_routines>
buckets_routines: <number_of_buckets_routines>
output_routines: <number_of_output_routines>
parser_routines
¶
int
Number of dedicated goroutines for parsing files.
buckets_routines
¶
int
Number of dedicated goroutines for managing live buckets.
output_routines
¶
int
Number of dedicated goroutines for pushing data to local api.
acquisition_path
¶
string
Path to the yaml file containing logs that needs to be read.
cscli
¶
This section is only used by cscli
.
cscli:
output: (human|json|raw)
hub_branch: <hub_branch>
output
¶
string
The default output format (human, json or raw).
hub_branch
¶
string
The git branch on which cscli
is going to fetch configurations.
db_config
¶
Please refer to the database configuration.
api
¶
The api section is used by both cscli
, crowdsec
and the local API.
api:
client:
insecure_skip_verify: (true|false)
credentials_path: <path_to_local_api_client_credential_file>
server:
log_level: (error|info|debug|trace>)
listen_uri: <listen_uri> # host:port
profiles_path: <path_to_profile_file>
online_client:
credentials_path: <path_to_crowdsec_api_client_credential_file>
tls:
cert_file: <path_to_certificat_file>
key_file: <path_to_certificat_key_file>
client
¶
The client subsection is used by crowdsec
and cscli
to read and write decisions to the local API.
client:
insecure_skip_verify: (true|false)
credentials_path: <path_to_local_api_client_credential_file>
insecure_skip_verify
¶
bool
Allows the use of https with self-signed certificates.
credentials_path
¶
string
Path to the credential files (contains API url + login/password).
server
¶
The server
subsection is the local API configuration.
server:
log_level: (error|info|debug|trace)
listen_uri: <listen_uri> # host:port
profiles_path: <path_to_profile_file>
online_client:
credentials_path: <path_to_crowdsec_api_client_credential_file>
tls:
cert_file: <path_to_certificat_file>
key_file: <path_to_certificat_key_file>
listen_uri
¶
string
Address and port listen configuration, the form host:port
.
profiles_path
¶
string
The path to the profiles configuration.
online_client
¶
Configuration to push signals and receive bad IPs from Crowdsec API.
online_client:
credentials_path: <path_to_crowdsec_api_client_credential_file>
credentials_path
¶
string
Path to a file containing credentials for the Central API.
tls
¶
if present, holds paths to certs and key files.
tls:
cert_file: <path_to_certificat_file>
key_file: <path_to_certificat_key_file>
cert_file
¶
string
Path to certificate file.
key_file
¶
string
Path to certficate key file.
prometheus
¶
This section is used by local API and crowdsec.
prometheus:
enabled: (true|false)
level: (full|aggregated)
listen_addr: <listen_address>
listen_port: <listen_port>
enabled
¶
bool
Allows to enable/disable prometheus instrumentation.
level
¶
string
Can be full
(all metrics) or aggregated
(to allow minimal metrics that will keep cardinality low).
listen_addr
¶
string
Prometheus listen url.
listen_port
¶
int
Prometheus listen port.