Skip to content

Crowdsec

Home
Crowdsec v0
Crowdsec v0
- Home
- Getting Started
  Getting Started
- Guide
  Guide
  - Overview
  - Acquisition
  - Parsers
  - Enrichers
  - Scenarios
  - Cscli
  - Simulation Mode
- Cheat Sheets
  Cheat Sheets
- Observability
  Observability
  - Overview
  - Logs
  - Metrics
    Metrics
    
    Prometheus
    
    Command line
  - Dashboard
- References
  References
- Write Configurations
  Write Configurations
- bouncers
- Contributing
  Contributing
  - Writing Output Plugins
- Cscli commands
  Cscli commands
- Upgrade V0.X to V1.X
Crowdsec v1
Crowdsec v1
- Home
- Getting Started
  Getting Started
- User guide
  User guide
  - CLI
  - Configurations management
    Configurations management
    
    Acquisition
    
    Collections
    
    Parsers
    
    Enrichers
    
    Scenarios
  - Decisions management
  - Bouncers & machines management
  - Databases
  - Network management
  - Simulation management
  - Crowdsec forensic mode
  - Debugging
- CLI
  CLI
  - Cscli
  - Alerts
  - Bouncers
  - Collections
  - Completion
  - Config
  - Dashboard
  - Decisions
  - Hub
  - Machines
  - Metrics
  - Parsers
  - Postoverflows
  - Scenarios
  - Simulation
- Local API
  Local API
- Observability
  Observability
  - Overview
  - Logs
  - Metrics
    Metrics
    
    Prometheus
    
    Command line
  - Dashboard
- Bouncers
- References
  References
  - Parsers, Scenarios etc.
    Parsers, Scenarios etc.
    
    Stages format
    
    Parsers format
    
    Scenarios format
    
    PostOverlows format
    
    Enrichers format
    
    Collections format
    
    Expressions helpers
    
    Patterns references
  - Configuration files
    Configuration files
    
    Configuration format
    
    Database format
    
    Acquisition format
    
    Profiles format
    
    Simulation configuration
  - Runtime objects
    Runtime objects
    
    Event object
    
    Alert object
    
    Decision object
- Write Configurations
  Write Configurations
- Upgrade V0.X to V1.X
API Swagger
Hub
Releases
Contributing
Contributing
- Guide
FAQ
FAQ
- Questions

Write the acquisition file (optional for test)¶

In order for your log to be processed by the good parser, it must match the filter that you will configure in your parser file.

The filters of the parsers in the first (s00-raw) stage will usually check evt.Line.Labels.type, which is the label of your acquisition file :

With an acquisition file like this :

filename: /path/to/log/file.log
labels:
  type: my_program

The log line will enter the parsing pipeline with evt.Line.Labels.type set to my_program
The parsers in the 1st stage (s00-raw) are dealing with the raw format, and the program name will end up in evt.Parsed.program
When the log line arrive the main parsing stage (s01-parse), evt.Parsed.program will be my_program

For example, this file line(s) :

filename: /var/log/nginx/access.log
labels:
  type: nginx

will be read by this parser :

filter: "evt.Parsed.program startsWith 'nginx'"
onsuccess: next_stage
...