Introduction
To be able to detect things, crowdsec needs to access logs. DataSources are configured via the acquisition configuration, or specified via the command-line when performing cold logs analysis.
| Name | Type | Stream | One-shot |
|---|---|---|---|
| file | single files, glob expressions and .gz files | yes | yes |
| journald | journald via filter | yes | yes |
| AWS cloudwatch | single stream or log group | yes | yes |
| syslog service | read logs received via syslog protocol | yes | no |
| docker | read logs from docker containers | yes | yes |
| AWS kinesis | read logs from a kinesis strean | yes | no |
While various data sources are supported, they all share the same common configuration structure :
source: <source>
labels:
type: syslog
#log_level: <log_level>
<specific>:
...
All the data sources supports :
- a
log_levelto configure verbosity of given source (trace, debug, info, warning, error) - a
labelsmap with a mandatorytypefield - a
sourceindicating which implementation the configuration referes to (file, journald, syslog, cloudwatch ...) - and a section that is specific to the data source implemention, see dedicated sections bellow