Skip to content

Crowdsec Tour

List installed configurations

sudo cscli hub list

On the machine where you deployed crowdsec-agent, type sudo cscli hub list to see install configurations. This list represents the parsers, scenarios and/or collections that you deployed. They represent what your crowdsec-agent setup can read (logs) and detect (scenarios). sudo cscli hub list -a will list all available configurations in the hub.

Check cscli configuration management for more !

output example
$ sudo cscli hub list
INFO[0000] Loaded 13 collecs, 17 parsers, 21 scenarios, 3 post-overflow parsers 
INFO[0000] unmanaged items : 23 local, 0 tainted        
INFO[0000] PARSERS:                                     
--------------------------------------------------------------------------------------------------------------
 NAME                            📦 STATUS    VERSION  LOCAL PATH                                             
--------------------------------------------------------------------------------------------------------------
 crowdsecurity/mysql-logs        ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/mysql-logs.yaml        
 crowdsecurity/sshd-logs         ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml         
 crowdsecurity/dateparse-enrich  ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml 
 crowdsecurity/whitelists        ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml       
 crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml     
 crowdsecurity/syslog-logs       ✔️  enabled  0.1      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml         
--------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:                                   
-------------------------------------------------------------------------------------
 NAME                    📦 STATUS    VERSION  LOCAL PATH                            
-------------------------------------------------------------------------------------
 crowdsecurity/mysql-bf  ✔️  enabled  0.1      /etc/crowdsec/scenarios/mysql-bf.yaml 
 crowdsecurity/ssh-bf    ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml   
-------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:                                 
---------------------------------------------------------------------------------
 NAME                 📦 STATUS    VERSION  LOCAL PATH                           
---------------------------------------------------------------------------------
 crowdsecurity/mysql  ✔️  enabled  0.1      /etc/crowdsec/collections/mysql.yaml 
 crowdsecurity/sshd   ✔️  enabled  0.1      /etc/crowdsec/collections/sshd.yaml  
 crowdsecurity/linux  ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml 
---------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:                               
--------------------------------------
 NAME  📦 STATUS  VERSION  LOCAL PATH 
--------------------------------------
--------------------------------------

List active decisions

sudo cscli decisions list

If you just deployed crowdsec-agent, the list might be empty, but don't worry, it simply means you haven't yet been attacked, congrats!

Check cscli decisions management for more !

output example
$ sudo cscli decisions list
+-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+
| ID  | SOURCE    | SCOPE:VALUE |               REASON               | ACTION | COUNTRY | AS | EVENTS |     EXPIRATION     | ALERT ID |
+-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+
| 802 | cscli     | Ip:1.2.3.5  | manual 'ban' from                  | ban    |         |    |      1 | 3h50m58.10039043s  |     802  |
|     |           |             | 'b76cc7b1bbdc489e93909d2043031de8' |        |         |    |        |                    |          |
| 801 | crowdsec  | Ip:1.2.3.4  | crowdsecurity/ssh-bf               | ban    |         |    |      6 | 3h59m45.100387557s |     801  |
+-----+-----------+-------------+------------------------------------+--------+---------+----+--------+--------------------+----------+

There are different decisions SOURCE:

  • crowdsec : decisions triggered locally by the crowdsec agent
  • CAPI : decisions fetched from the Crowdsec Central API
  • csli : decisions added via sudo cscli decisions add

List alerts

sudo cscli alerts list

While decisions won't be shown anymore once they expire (or are manually deleted), the alerts will stay visible, allowing you to keep track of past decisions. You will here see the alerts, even if the associated decisions expired.

output example
$ sudo cscli alerts list --since 1h
+----+-------------+----------------------------+---------+----+-----------+---------------------------+
| ID | SCOPE:VALUE |           REASON           | COUNTRY | AS | DECISIONS |        CREATED AT         |
+----+-------------+----------------------------+---------+----+-----------+---------------------------+
|  5 | Ip:1.2.3.6  | crowdsecurity/ssh-bf (0.1) | US      |    | ban:1     | 2020-10-29T11:33:36+01:00 |
+----+-------------+----------------------------+---------+----+-----------+---------------------------+

Monitor on-going activity (prometheus)

sudo cscli metrics

The metrics displayed are extracted from crowdsec-agent prometheus. The indicators are grouped by scope :

  • Buckets : Know which buckets are created and/or overflew (scenario efficiency)
  • Acquisition : Know which file produce logs and if thy are parsed (or end up in bucket)
  • Parser : Know how frequently the individual parsers are triggered and their success rate
  • Local Api Metrics : Know how often each endpoint of crowdsec's local API has been used
output example
$ sudo cscli metrics
INFO[0000] Buckets Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
|                BUCKET                | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-bad-user-agent    | -             | -         |            7 |      7 |       7 |
| crowdsecurity/http-crawl-non_statics | -             | -         |           82 |    107 |      82 |
| crowdsecurity/http-probing           | -             | -         |            2 |      2 |       2 |
| crowdsecurity/http-sensitive-files   | -             | -         |            1 |      1 |       1 |
| crowdsecurity/ssh-bf                 |            16 |      5562 |         7788 |  41542 |    2210 |
| crowdsecurity/ssh-bf_user-enum       |             8 | -         |         6679 |  12571 |    6671 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[0000] Acquisition Metrics:
+---------------------------+------------+--------------+----------------+------------------------+
|          SOURCE           | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+---------------------------+------------+--------------+----------------+------------------------+
| /var/log/auth.log         |      92978 |        41542 |          51436 |                  54113 |
| /var/log/messages         |          2 | -            |              2 | -                      |
| /var/log/nginx/access.log |        124 |           99 |             25 |                     88 |
| /var/log/nginx/error.log  |        287 |           63 |            224 |                     29 |
| /var/log/syslog           |      27271 | -            |          27271 | -                      |
+---------------------------+------------+--------------+----------------+------------------------+
INFO[0000] Parser Metrics:
+--------------------------------+--------+--------+----------+
|            PARSERS             |  HITS  | PARSED | UNPARSED |
+--------------------------------+--------+--------+----------+
| child-crowdsecurity/http-logs  |    486 |    232 |      254 |
| child-crowdsecurity/nginx-logs |    723 |    162 |      561 |
| child-crowdsecurity/sshd-logs  | 381792 |  41542 |   340250 |
| crowdsecurity/dateparse-enrich |  41704 |  41704 | -        |
| crowdsecurity/geoip-enrich     |  41641 |  41641 | -        |
| crowdsecurity/http-logs        |    162 |     59 |      103 |
| crowdsecurity/nginx-logs       |    411 |    162 |      249 |
| crowdsecurity/non-syslog       |    411 |    411 | -        |
| crowdsecurity/sshd-logs        |  92126 |  41542 |    50584 |
| crowdsecurity/syslog-logs      | 120251 | 120249 |        2 |
| crowdsecurity/whitelists       |  41704 |  41704 | -        |
+--------------------------------+--------+--------+----------+
INFO[0000] Local Api Metrics:
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /v1/alerts           | GET    |    3 |
| /v1/alerts           | POST   | 4673 |
| /v1/decisions/stream | GET    | 6498 |
| /v1/watchers/login   | POST   |   23 |
+----------------------+--------+------+
INFO[0000] Local Api Machines Metrics:
+----------------------------------+------------+--------+------+
|             MACHINE              |   ROUTE    | METHOD | HITS |
+----------------------------------+------------+--------+------+
| 7f0607a3469243139699bf2f30321fc4 | /v1/alerts | POST   | 4673 |
| 7f0607a3469243139699bf2f30321fc4 | /v1/alerts | GET    |    3 |
+----------------------------------+------------+--------+------+
INFO[0000] Local Api Bouncers Metrics:
+------------------------------+----------------------+--------+------+
|           BOUNCER            |        ROUTE         | METHOD | HITS |
+------------------------------+----------------------+--------+------+
| cs-firewall-bouncer-n3W19Qua | /v1/decisions/stream | GET    | 6498 |
+------------------------------+----------------------+--------+------+

Reading metrics

Those metrics are a great way to know if your configuration is correct :

The Acquisition Metrics is a great way to know if your parsers are setup correctly :

  • If you have 0 LINES PARSED for a source : You are probably missing a parser, or you have a custom log format that prevents the parser from understanding your logs.
  • However, it's perfectly OK to have a lot of LINES UNPARSED : Crowdsec is not a SIEM, and only parses the logs that are relevant to its scenarios. For example, ssh parser, only cares about failed authentication events (at the time of writting).
  • LINES POURED TO BUCKET tell you that your scenarios are matching your log sources : it means that some events from this log source made all their way to an actual scenario

The Parser Metrics will let you troubleshoot eventual parser misconfigurations : - HITS is how many events where fed to this specific parser - PARSED and UNPARSED indicate how many events successfully come out of the parser

For example, if you have a custom log format in nginx that is not supported by the default parser, you will end up seeing a lot of UNPARSED for this specific parser, and 0 for PARSED.

For more advanced metrics understanding, take a look at the dedicated prometheus documentation.

Deploy dashboard

sudo cscli dashboard setup --listen 0.0.0.0

A docker metabase container can be deployed with cscli dashboard. It requires docker, installation instructions are available here.

Logs

sudo tail -f /var/log/crowdsec.log
  • /var/log/crowdsec.log is the main log, it shows ongoing decisions and acquisition/parsing/scenario errors.
  • /var/log/crowdsec_api.log is the access log of the local api (LAPI)

Installing collections

sudo cscli collections install crowdsecurity/nginx

Collections are bundles of parsers/scenarios that form a coherent ensemble to analyze/detect attacks for a specific service. It is the most common way to deploy configurations.

They can be found and browsed on the Crowdsec Hub

Scalability

Crowdsec uses go-routines for parsing and enriching logs, pouring events to buckets and manage outputs.

By default, one routine of each exists (should be enough to handle ~1K EP/s), and can be changed in crowdsec_service of the main configuration file via the parser_routines, buckets_routines and output_routines directives.

Please keep in mind that thanks to the http API, the workload of log parsing can be splitted amongst several agents pushing to a single Local API.