Skip to main content

Add new log sources

info

We will add a file-based acquisition. If you need a different source, adjust the instructions to match your setup.

Once you have identified the service you want to add, use cscli to install its collection.

tip

You can view the available collections on the Hub.

SH
cscli collections add <collection_name>

Once the collection is downloaded, add a new Acquisition so CrowdSec knows where to find the log source.

info

Each collection on the Hub includes an example Acquisition, which helps you identify files to monitor and labels to assign.

info

Since version 1.5.0, you can add acquisitions via the acquis.d directory, which avoids editing the main configuration file.

Create the directory if it does not existโ€‹

SH
sudo mkdir -p /etc/crowdsec/acquis.d

Create the acquisition fileโ€‹

SH
sudo touch /etc/crowdsec/acquis.d/<collection_name>.yaml
info

You can skip the following step if you are on Kubernetes.

Add the following contents to the fileโ€‹

<collection_name>.yaml
YAML<collection_name>.yaml
filenames:
  - "/path/to/your/file.log" ## Single file
  - "/path/to/your/files*" ## Wildcard support
labels:
  type: "<type of logs>" ## Type defined in the parser

Once you have added the acquisitions, test the configuration and restart the service.

SH
sudo crowdsec -t && sudo systemctl restart crowdsec

Next stepsโ€‹

Now that you have added a new acquisition, verify that logs are being parsed correctly. See Are the detected log sources working correctly?.

CrowdSec Docs
We use cookies

This site uses cookies to help us improve your experience. You can accept or decline below.