From e7c384387d145ba5cec7e0507e15ffff6dccc590 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 23 Jul 2025 13:02:24 +0200 Subject: [PATCH 1/5] add configuration paths --- .../configuration/crowdsec_configuration.md | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/crowdsec-docs/docs/configuration/crowdsec_configuration.md b/crowdsec-docs/docs/configuration/crowdsec_configuration.md index 5dfbd6355..ba54e857e 100644 --- a/crowdsec-docs/docs/configuration/crowdsec_configuration.md +++ b/crowdsec-docs/docs/configuration/crowdsec_configuration.md @@ -15,6 +15,63 @@ You can find the default configurations on our GitHub repository: [Windows default configuration](https://github.com/crowdsecurity/crowdsec/blob/master/config/config_win.yaml) +## Common configuration directories & paths + +### `/etc/crowdsec/` + +All CrowdSec configuration are living in this directory. + +### `/etc/crowdsec/config.yaml` + +Main configuration file for Log Processor and Local API. + +### `/etc/crowdsec/acquis.d` and `/etc/crowdsec/acquis.yaml` + +Documents which log sources and datasources are processed by the Log Processor. + +`/etc/crowdsec/acquis.yaml` is the historical acquisition configuration file. +`/etc/crowdsec/acquis.d/*.yaml` is prefered when possible. + +### `/etc/crowdsec/bouncers/*.yaml` + +Individual configuration file for bouncers. + +### `/etc/crowdsec/collections/*.yaml` + +Collections currently installed on the Log Processor. + +### `/etc/crowdsec/console.yaml` + +Console specific flags to enable/disable manual decisions management, alert context sharing. + +### `/etc/crowdsec/contexts/*.yaml` + +Enabled alert context for Local API and Log Processor. + +### `/etc/crowdsec/hub/` + +Local Hub Mirror. + +### `/etc/crowdsec/local_api_credentials.yaml` and `/etc/crowdsec/online_api_credentials.yaml` + +Credentials for Local API and Central API. + +### `/etc/crowdsec/parsers` + +Contains all parsers enabled on the Log Processor, organised in stages: + - `/etc/crowdsec/parsers/s00-raw/*.yaml` : parsers for based formats such as syslog. + - `/etc/crowdsec/parsers/s01-parse/*.yaml` : service specific parsers such as nginx or ssh. + - `/etc/crowdsec/parsers/s02-enrich/*.yaml` : enrichment parsers and whitelists. + +### `/etc/crowdsec/scenarios` + +Contains all scenarios enabled on the Log Processor. + +### `/etc/crowdsec/profiles.yaml` + +Contains profiles used by Local API to eventually turn alerts into decisions or dispatch them to notification plugins. + + ## Environment variables It is possible to set configuration values based on environment variables. From 8d6cb767e0d289f6fbf2075317d81987017b3daf Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 23 Jul 2025 13:32:36 +0200 Subject: [PATCH 2/5] up --- .../configuration/crowdsec_configuration.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/crowdsec-docs/docs/configuration/crowdsec_configuration.md b/crowdsec-docs/docs/configuration/crowdsec_configuration.md index ba54e857e..4d999a554 100644 --- a/crowdsec-docs/docs/configuration/crowdsec_configuration.md +++ b/crowdsec-docs/docs/configuration/crowdsec_configuration.md @@ -50,7 +50,7 @@ Enabled alert context for Local API and Log Processor. ### `/etc/crowdsec/hub/` -Local Hub Mirror. +Local Hub Mirror. Not itended to be modified by the user. Do not put custom scenarios/parsers here. ### `/etc/crowdsec/local_api_credentials.yaml` and `/etc/crowdsec/online_api_credentials.yaml` @@ -58,19 +58,31 @@ Credentials for Local API and Central API. ### `/etc/crowdsec/parsers` -Contains all parsers enabled on the Log Processor, organised in stages: +Contains all parsers enabled on the Log Processor, including local parsers, organised in stages: - `/etc/crowdsec/parsers/s00-raw/*.yaml` : parsers for based formats such as syslog. - `/etc/crowdsec/parsers/s01-parse/*.yaml` : service specific parsers such as nginx or ssh. - `/etc/crowdsec/parsers/s02-enrich/*.yaml` : enrichment parsers and whitelists. + ### `/etc/crowdsec/scenarios` -Contains all scenarios enabled on the Log Processor. +Contains all scenarios enabled on the Log Processor, including local scenarios. ### `/etc/crowdsec/profiles.yaml` Contains profiles used by Local API to eventually turn alerts into decisions or dispatch them to notification plugins. +### `/etc/crowdsec/notifications/*.yaml` + +Contains notification plugins configuration (slack, email, splunk, etc.) + +### `/etc/crowdsec/appsec-configs/*.yaml` + +Contains AppSec (WAF) configuration indicating which rules or loaded in `inband` and `outofband` files, as well as eventual `hooks` configuration. + +### `/etc/crowdsec/appsec-rules/*.yaml` + +Contains individual AppSec (WAF) rules loaded by `appsec-configs` files. ## Environment variables From 593d82a2153e3f8b8838a7e02f5c929b8bf9476f Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 23 Jul 2025 13:33:04 +0200 Subject: [PATCH 3/5] up --- crowdsec-docs/docs/configuration/crowdsec_configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crowdsec-docs/docs/configuration/crowdsec_configuration.md b/crowdsec-docs/docs/configuration/crowdsec_configuration.md index 4d999a554..d65673164 100644 --- a/crowdsec-docs/docs/configuration/crowdsec_configuration.md +++ b/crowdsec-docs/docs/configuration/crowdsec_configuration.md @@ -46,7 +46,7 @@ Console specific flags to enable/disable manual decisions management, alert cont ### `/etc/crowdsec/contexts/*.yaml` -Enabled alert context for Local API and Log Processor. +Enabled alert context for Local API and Log Processor. This is where you should add custom data to be sent in alert context. ### `/etc/crowdsec/hub/` From cd12755179c2e2f54a4a61bb3c10537ba27b7492 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 23 Jul 2025 13:41:15 +0200 Subject: [PATCH 4/5] up --- .../docs/configuration/crowdsec_configuration.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/crowdsec-docs/docs/configuration/crowdsec_configuration.md b/crowdsec-docs/docs/configuration/crowdsec_configuration.md index d65673164..19f7ee40f 100644 --- a/crowdsec-docs/docs/configuration/crowdsec_configuration.md +++ b/crowdsec-docs/docs/configuration/crowdsec_configuration.md @@ -42,7 +42,13 @@ Collections currently installed on the Log Processor. ### `/etc/crowdsec/console.yaml` -Console specific flags to enable/disable manual decisions management, alert context sharing. +Console specific flags: + - enable/disable decisions management from the console + - enable/disable sharing of manual decisions with the console + - enable/disable sharing of custom/tainted scenarios related decisions with the console + - enable/disable sharing of alert context data with the console. + + to enable/disable manual decisions management, alert context sharing. ### `/etc/crowdsec/contexts/*.yaml` @@ -50,7 +56,7 @@ Enabled alert context for Local API and Log Processor. This is where you should ### `/etc/crowdsec/hub/` -Local Hub Mirror. Not itended to be modified by the user. Do not put custom scenarios/parsers here. +Local Hub Mirror. Not intended to be modified by the user. Do not put custom scenarios/parsers here. ### `/etc/crowdsec/local_api_credentials.yaml` and `/etc/crowdsec/online_api_credentials.yaml` From a534d8a90543743910ee9d8e9cf1da013757e698 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 23 Jul 2025 13:43:18 +0200 Subject: [PATCH 5/5] up --- crowdsec-docs/docs/configuration/crowdsec_configuration.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/crowdsec-docs/docs/configuration/crowdsec_configuration.md b/crowdsec-docs/docs/configuration/crowdsec_configuration.md index 19f7ee40f..cc4eee4be 100644 --- a/crowdsec-docs/docs/configuration/crowdsec_configuration.md +++ b/crowdsec-docs/docs/configuration/crowdsec_configuration.md @@ -48,8 +48,6 @@ Console specific flags: - enable/disable sharing of custom/tainted scenarios related decisions with the console - enable/disable sharing of alert context data with the console. - to enable/disable manual decisions management, alert context sharing. - ### `/etc/crowdsec/contexts/*.yaml` Enabled alert context for Local API and Log Processor. This is where you should add custom data to be sent in alert context.