Skip to content

Crowdsec PostOverlows format

Crowdsec

Home
Crowdsec v0
Crowdsec v0
- Home
- Getting Started
  Getting Started
- Guide
  Guide
  - Overview
  - Acquisition
  - Parsers
  - Enrichers
  - Scenarios
  - Cscli
  - Simulation Mode
- Cheat Sheets
  Cheat Sheets
- Observability
  Observability
  - Overview
  - Logs
  - Metrics
    Metrics
    
    Prometheus
    
    Command line
  - Dashboard
- References
  References
- Write Configurations
  Write Configurations
- bouncers
- Contributing
  Contributing
  - Writing Output Plugins
- Cscli commands
  Cscli commands
- Upgrade V0.X to V1.X
Crowdsec v1
Crowdsec v1
- Home
- Getting Started
  Getting Started
- User guide
  User guide
  - CLI
  - Configurations management
    Configurations management
    
    Acquisition
    
    Collections
    
    Parsers
    
    Enrichers
    
    Scenarios
  - Decisions Management
  - Bouncers & machines management
  - Databases
  - Simulation Management
  - Crowdsec forensic mode
  - Debugging
- CLI
  CLI
  - Cscli
  - Alerts
  - Bouncers
  - Collections
  - Completion
  - Config
  - Dashboard
  - Decisions
  - Hub
  - Machines
  - Metrics
  - Parsers
  - Postoverflows
  - Scenarios
  - Simulation
- Local API
  Local API
- Observability
  Observability
  - Overview
  - Logs
  - Metrics
    Metrics
    
    Prometheus
    
    Command line
  - Dashboard
- Bouncers
- References
  References
  - Parsers, Scenarios etc.
    Parsers, Scenarios etc.
    
    Stages format
    
    Parsers format
    
    Scenarios format
    
    PostOverlows format
    
    Enrichers format
    
    Collections format
    
    Expressions helpers
    
    Patterns references
  - Configuration files
    Configuration files
    
    Configuration format
    
    Database format
    
    Acquisition format
    
    Profiles format
    
    Simulation configuration
  - Runtime objects
    Runtime objects
    
    Event object
    
    Alert object
    
    Decision object
- Write Configurations
  Write Configurations
- Upgrade V0.X to V1.X
API Swagger
Hub
Releases
Contributing
Contributing
- Guide
FAQ
FAQ
- Questions

Post Overflows¶

PostOverflows is secondary parsing phase that happens after a bucket overflowed. It behaves exactly like a Normal Parsing. However, instead of receiving event with logs, the parser receive events with alert representing the overflows.

The configuration resides in /etc/crowdsec/postoverflows/.