Skip to main content

Adding a new Acquisition

info

We will be adding a file based acquisition. If you need to use a different source then alter the instructions to match your needs.

Once you have found service you want to add, you can use the cscli command line tool to add the collection.

tip

You can view the available collections on the Hub.

cscli collections add <collection_name>

Once the collection has been downloaded we need to add a new Acquisition to the configuration so CrowdSec knows where to find the log source.

info

An example of an Acquisition is available in the collection on the Hub, which will assist you in identifying the files to monitor and the labels to assign.

info

From version 1.5.0 we have added the ability to add acquisitions via the acquis.d directory. This allows you to add acquisitions without modifying the main configuration file.

Create the directory if it does not exist

sudo mkdir -p /etc/crowdsec/acquis.d

Create the acquisition file

sudo touch /etc/crowdsec/acquis.d/<collection_name>.yaml
info

You can skip the following step if you are on Kubernetes

Add the following contents to the file

<collection_name>.yaml
filenames:
  - "/path/to/your/file.log" ## Single file
  - "/path/to/your/files*" ## Wildcard support
labels:
  type: "<type of logs>" ## Type defined in the parser

Once you have added the acquisitions you can test the configuration and restart the service.

sudo crowdsec -t && sudo systemctl restart crowdsec

Next Steps?

Now that you have added a new acquisition, you may want to verify that the logs are being parsed correctly see are detected log sources working correctly?

CrowdSec ConsoleCrowdSec Console