Introduction
To be able to detect things, crowdsec needs to access logs. DataSources are configured via the acquisition configuration, or specified via the command-line when performing cold logs analysis.
Name | Type | Stream | One-shot |
---|---|---|---|
file | single files, glob expressions and .gz files | yes | yes |
journald | journald via filter | yes | yes |
AWS cloudwatch | single stream or log group | yes | yes |
syslog service | read logs received via syslog protocol | yes | no |
docker | read logs from docker containers | yes | yes |
AWS kinesis | read logs from a kinesis strean | yes | no |
While various data sources are supported, they all share the same common configuration structure :
source: <source>
labels:
type: syslog
#log_level: <log_level>
<specific>:
...
All the data sources supports :
- a
log_level
to configure verbosity of given source (trace, debug, info, warning, error) - a
labels
map with a mandatorytype
field - a
source
indicating which implementation the configuration referes to (file, journald, syslog, cloudwatch ...) - and a section that is specific to the data source implemention, see dedicated sections bellow