Fetch Crowdsec's latest version here.
tar xvzf crowdsec-release.tgz
A wizard is provided to help you deploy Crowdsec and cscli.
Using the interactive wizard¶
sudo ./wizard.sh -i
The wizard is going to guide you through the following steps :
- detect services that are present on your machine
- detect selected services logs
- suggest collections (parsers and scenarios) to deploy
- deploy & configure Crowdsec in order to watch selected logs for selected scenarios
The process should take less than a minute, please report if there are any issues.
You are then ready to take a tour of your freshly deployed Crowdsec !
you of little faith
sudo ./wizard.sh --bininstall
This will deploy a valid/empty Crowdsec configuration files and binaries. Beware, in this state, Crowdsec won't monitor/detect anything unless configured.
cscli install collection crowdsecurity/linux
Installing at least the
crowdsecurity/linux collection will provide you :
- syslog parser
- geoip enrichment
- date parsers
You will need as well to configure your acquisition file to feed Crowdsec some logs.
Go in Crowdsec folder and build the binaries :
Crowdsec bin will be located in
./cmd/crowdsec/crowdsec and cscli bin in
The wizard itself comes with a
--upgrade option, that will upgrade existing crowdsec version.
If you have installed crowdsec
v0.1.0 and you downloaded
v0.1.1, you can run
sudo ./wizard.sh --upgrade from the extracted
v0.1.1 version. (note: the wizard doesn't yet download the latest version, you have to download it)
The wizard takes care of backing up configurations on your behalf, and puts them into an archive :
- backup your parsers,scenarios,collections, either from hub or your local ones
- simulation configuration
- API credentials
- acquisition.yaml file
- plugin(s) configuration
It will then install the new/current crowdsec version, and restore everything that has been backed up!
$ sudo ./wizard.sh --upgrade [10/05/2020:11:27:34 AM][INF] crowdsec_wizard: Backing up existing configuration WARN Starting configuration backup INFO saving, version:0.1, up-to-date:true file=crowdsecurity/syslog-logs type=parsers ... INFO Wrote 7 entries for parsers to /tmp/tmp.z54P27aaW0/parsers//upstream-parsers.json file=crowdsecurity/geoip-enrich type=parsers INFO Wrote 0 entries for postoverflows to /tmp/tmp.z54P27aaW0/postoverflows//upstream-postoverflows.json file=crowdsecurity/seo-bots-whitelist type=postoverflows INFO Wrote 9 entries for scenarios to /tmp/tmp.z54P27aaW0/scenarios//upstream-scenarios.json file=crowdsecurity/smb-bf type=scenarios INFO Wrote 4 entries for collections to /tmp/tmp.z54P27aaW0/collections//upstream-collections.json file=crowdsecurity/vsftpd type=collections INFO Saved acquis to /tmp/tmp.z54P27aaW0/acquis.yaml INFO Saved default yaml to /tmp/tmp.z54P27aaW0/default.yaml INFO Saved configuration to /tmp/tmp.z54P27aaW0 INFO Stop docker metabase /crowdsec-metabase [10/05/2020:11:27:36 AM][INF] crowdsec_wizard: Removing crowdsec binaries [10/05/2020:11:27:36 AM][INF] crowdsec_wizard: crowdsec successfully uninstalled [10/05/2020:11:27:36 AM][INF] crowdsec_wizard: Installing crowdsec ... [10/05/2020:11:27:36 AM][INF] crowdsec_wizard: Restoring configuration ... INFO Restore acquis to /etc/crowdsec/config/acquis.yaml INFO Restoring '/tmp/tmp.z54P27aaW0/plugins/backend/database.yaml' to '/etc/crowdsec/plugins/backend/database.yaml' [10/05/2020:11:27:41 AM][INF] crowdsec_wizard: Restoring saved database [10/05/2020:11:27:41 AM][INF] crowdsec_wizard: Finished, restarting
As usual, if you experience any issues, let us know :)
You can uninstall crowdsec using the wizard :
sudo ./wizard.sh --uninstall