Configuration Management

cscli allows you install, list, upgrade and remove configurations : parsers, enrichment, scenarios.

Warning

If you're not running the latest CrowdSec version, configurations might not be the latest available. cscli will use the branch of the corresponding CrowdSec version to download and install configurations from the hub (it will use the master branch if you are on the latest CrowdSec version).

The various parsers, enrichers and scenarios installed on your machine makes a coherent ensemble to provide detection capabilities.

Parsers, Scenarios and Enrichers are often bundled together in "collections" to facilitate configuration.

Parsers, scenarios, enrichers and collections all follow the same principle :

  • cscli install parser crowdsec/nginx-logs
  • cscli update collection crowdsec/base-http-scenarios
  • cscli remove scenario crowdsec/mysql-bf

Please see your local cscli help for up-to-date documentation

List configurations

cscli list

note -a allows for listing of uninstalled configurations as well

cscli list example
$ cscli list
INFO[0000] Loaded 9 collecs, 14 parsers, 12 scenarios, 1 post-overflow parsers 
INFO[0000] PARSERS:                                     
--------------------------------------------------------------------------------------------------------------------
 NAME                       📦 STATUS    VERSION  LOCAL PATH                                                        
--------------------------------------------------------------------------------------------------------------------
 crowdsec/nginx-logs        ✔️  enabled  0.3      /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml        
 crowdsec/geoip-enrich      ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/geoip-enrich.yaml     
 crowdsec/syslog-logs       ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s00-raw/syslog-logs.yaml         
 crowdsec/whitelists        ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/whitelists.yaml       
 crowdsec/http-logs         ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/http-logs.yaml        
 crowdsec/dateparse-enrich  ✔️  enabled  0.4      /etc/crowdsec/config/parsers/s02-enrich/dateparse-enrich.yaml 
--------------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:                                   
-----------------------------------------------------------------------------------------------------------------------
 NAME                             📦 STATUS    VERSION  LOCAL PATH                                                     
-----------------------------------------------------------------------------------------------------------------------
 crowdsec/http-scan-uniques_404   ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-scan-uniques_404.yaml  
 crowdsec/http-crawl-non_statics  ✔️  enabled  0.4      /etc/crowdsec/config/scenarios/http-crawl-non_statics.yaml 
-----------------------------------------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:                                 
-------------------------------------------------------------------------------------------------------------------
 NAME                          📦 STATUS    VERSION  LOCAL PATH                                                    
-------------------------------------------------------------------------------------------------------------------
 crowdsec/linux                ✔️  enabled  0.2      /etc/crowdsec/config/collections/linux.yaml               
 crowdsec/nginx                ✔️  enabled  0.2      /etc/crowdsec/config/collections/nginx.yaml               
 crowdsec/base-http-scenarios  ✔️  enabled  0.1      /etc/crowdsec/config/collections/base-http-scenarios.yaml 
-------------------------------------------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:                               
--------------------------------------
 NAME  📦 STATUS  VERSION  LOCAL PATH 
--------------------------------------
--------------------------------------

For parsers, scenarios, collections the outputs include, beside the version, the path and the name, a STATUS column :

  • ✔️ enabled : configuration is up-to-date
  • ⚠️ enabled,outdated : a newer version is available
  • 🚫 enabled,local : configuration is not managed by cscli
  • ⚠️ enabled,tainted : configuration has been locally modified

(see cscli upgrade to upgrade/sync your configurations with Crowdsec Hub)

Install new configurations

cscli install parser|scenario|postoverflow <name> [--force]

  • cscli install parser crowdsec/nginx-logs
  • cscli install scenario crowdsec/http-scan-uniques_404

Remove configurations

cscli remove parser|scenario|postoverflow <name> [--force]

Upgrade configurations

upgrade a specific scenario

cscli upgrade scenario crowdsec/http-scan-uniques_404

upgrade all scenarios

cscli upgrade scenario --all

upgrade all configurations (parsers, scenarios, collections, postoverflows)

cscli upgrade --all