Skip to content

Parsers

Crowdsec Hub allows you to find needed parsers.

Installing parsers

$ sudo cscli parsers install crowdsecurity/sshd-logs
cscli parsers install example
$ sudo cscli parsers install crowdsecurity/iptables-logs    
INFO[0000] crowdsecurity/iptables-logs : OK             
INFO[0000] Enabled parsers : crowdsecurity/iptables-logs 
INFO[0000] Enabled crowdsecurity/iptables-logs          
INFO[0000] Run 'systemctl reload crowdsec' for the new configuration to be effective. 

Listing installed parsers

sudo cscli parsers list

Parsers are yaml files in /etc/crowdsec/parsers/<STAGE>/parser.yaml.

cscli parsers list example
$ sudo cscli parsers list
--------------------------------------------------------------------------------------------------------------
 NAME                            📦 STATUS    VERSION  LOCAL PATH                                             
--------------------------------------------------------------------------------------------------------------
 crowdsecurity/whitelists        ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml       
 crowdsecurity/dateparse-enrich  ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml 
 crowdsecurity/iptables-logs     ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml     
 crowdsecurity/syslog-logs       ✔️  enabled  0.1      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml         
 crowdsecurity/sshd-logs         ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml         
 crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml     
 crowdsecurity/http-logs         ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/http-logs.yaml        
 crowdsecurity/nginx-logs        ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml        
--------------------------------------------------------------------------------------------------------------

Upgrading installed parsers

$ sudo cscli parsers upgrade crowdsecurity/sshd-logs

Parsers upgrade allows you to upgrade an existing parser to the latest version.

cscli parsers upgrade example
$ sudo cscli parsers upgrade crowdsecurity/sshd-logs  
INFO[0000] crowdsecurity/sshd : up-to-date              
WARN[0000] crowdsecurity/sshd-logs : overwrite          
WARN[0000] crowdsecurity/ssh-bf : overwrite             
WARN[0000] crowdsecurity/sshd : overwrite               
INFO[0000] 📦 crowdsecurity/sshd : updated               
INFO[0000] Upgraded 1 items                             
INFO[0000] Run 'systemctl reload crowdsec' for the new configuration to be effective.

Monitoring parsers

$ sudo cscli parsers inspect crowdsecurity/sshd-logs 

Parsers inspect will give you detailed information about a given parser, including versioning information and runtime metrics (fetched from prometheus).

cscli parsers inspect example
$ sudo cscli parsers inspect crowdsecurity/sshd-logs     
type: parsers
stage: s01-parse
name: crowdsecurity/sshd-logs
filename: sshd-logs.yaml
description: Parse openSSH logs
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/sshd
remote_path: parsers/s01-parse/crowdsecurity/sshd-logs.yaml
version: "0.1"
local_path: /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
localversion: "0.1"
localhash: ecd40cb8cd95e2bad398824ab67b479362cdbf0e1598b8833e2f537ae3ce2f93
installed: true
downloaded: true
uptodate: true
tainted: false
local: false

Current metrics :

 - (Parser) crowdsecurity/sshd-logs:
+-------------------+-------+--------+----------+
|      PARSERS      | HITS  | PARSED | UNPARSED |
+-------------------+-------+--------+----------+
| /var/log/auth.log | 94138 |  42404 |    51734 |
+-------------------+-------+--------+----------+
## Reference documentation [Link to parsers reference documentation](/Crowdsec/v1/references/parsers/)