Introduction
To be able to detect things, crowdsec needs to access logs. DataSources are configured via the acquisition configuration, or specified via the command-line when performing cold logs analysis.
| Name | Type | Stream | One-shot |
|---|---|---|---|
| file | single files, glob expressions and .gz files | yes | yes |
| journald | journald via filter | yes | yes |
| AWS cloudwatch | single stream or log group | yes | yes |
| syslog service | read logs received via syslog protocol | yes | no |
| docker | read logs from docker containers | yes | yes |
| AWS kinesis | read logs from a kinesis strean | yes | no |
While various data sources are supported, they all share the same common configuration structure :
source: <source>
labels:
type: syslog
#log_level: <log_level>
<specific>:
...
All the data sources supports :
- a
log_levelto configure verbosity of given source (trace, debug, info, warning, error) - a
labelsmap with a mandatorytypefield - a
sourceindicating which implementation the configuration referes to (file, journald, syslog, cloudwatch ...) - and a section that is specific to the data source implemention, see dedicated sections bellow
warning
The labels and type subsection are crucial as this is what is going to indicate which parsers pickup the log line.
