Add Local Collections
A collection is a bundle of config files that detail what to look for, and where to look. The install selects a few to start with based on it’s inspection of already already installed software.
sudo cscli collections list
If you want something else, take a look at CrowdSec’s collections to see what’s available and the more info link will show you how to install it. You can also do a quick look at the command line as well.
sudo cscli collections list -a
For example, to configure it to watch caddy:
sudo cscli collections install crowdsecurity/caddy
# It should add a file to the drop folder
cat /etc/crowdsec/acquis.d/caddy.yaml
# Reload crowdsec for these changes to take effect
sudo systemctl reload crowdsec
Collection Details
Inspecting the collection will tell you what parsers and scenarios it bundles together. As well as some metrics.
sudo cscli collections list
sudo cscli collections inspect crowdsecurity/linux
sudo cscli collections inspect crowdsecurity/sshd
To learn more a collection and it’s components, you can check out their page:
https://hub.crowdsec.net/author/crowdsecurity/collections/linux
The metrics are a bit confusing until you learn that the ‘Unparsed’ column doesn’t mean unparsed so much as it means a non-event. These are just normal log lines that don’t have a pattern a parser was looking for.
How Collections Work
A collection starts by putting a config file in the acquis.d folder. This is the acquisition drop folder and tells crowdsec where to acquire data - i.e. what log files to look at. If it’s a non-standard format it will also add a new parser under parsers and any patterns under scenarios. These are things like “5 failed login attempts in less than 30 seconds”.
The important thing to know is parsers are only successful on interesting events. A normal login is just recorded as a “failed” parse because it didn’t match anything interesting. The scenario then only considers actual events, reducing the contextual overhead.
Matching a scenario triggers an alert which is sent to the hub. These alerts usually (unless whitelisted) become decisions. The default decision is to add the IP added to the ban list. These have a configurable expiration, so that if you really guess wrong 10 times in a row, you’re not banned forever.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.