Version: Next

Expression Helpers Reference

Various helpers are available for use in the detect.yaml file to determine how crowdsec should be configured.

Host

This object gives access to various information about the current state of the operating system

`Host.Hostname`

Returns the hostname of the machine

Host.Hostname == "mymachine"

`Host.Uptime`

Returns the uptime of the machine in seconds.

`Host.Boottime`

Returns the unix timestamp of the time the machine booted.

`Host.Procs`

Returns the number of processes on the machine.

`Host.OS`

Returns the name of the OS (linux, freebsd, windows, ...)

Host.OS == "linux"

`Host.Platform`

Returns the variant of the OS (ubuntu, linuxmint, ....)

Host.Platform == "ubuntu"

`Host.PlatformFamily`

Returns the family of the OS (debian, rhel, ...)

Host.PlatformFamily == "debian"

`Host.PlatformVersion`

Returns the version of the OS or distribution (for linux, /etc/os-release)

`Host.PlatformVersion == "25.04"

`Host.KernelVersion`

Returns the current kernel version as returned by uname -r

`Host.KernelVersion == "6.16.2"

`Host.KernelArch`

Returns the native architecture of the system (x86_64, ...)

Host.KernelArch == "x86_64"

`Host.VirtualizationSystem`

Returns the name of the virtualization system in use if any.

Host.VirtualizationSystem == "kvm"

`Host.VirtualizationRole`

Returns the virtualization role of the system if any (guest, host)

Host.VirtualizationRole == "host"

`Host.HostID`

Returns a unique ID specific to the system.

Path

This object exposes helpers functions for the filesystem

`Exists(path) bool`

Returns true if the specified path exists.

Path.Exists("/var/log/nginx/access.log") == true

`Glob(pattern) []string`

Returns a list of files matching the provided pattern.

Returns an empty list if the glob pattern is invalid

len(Path.Glob("/var/log/nginx/*.log")) > 0

System

`ProcessRunning(name) bool`

Returns true if there's any process with the specified name running

System.ProcessRunning("nginx") == true

Systemd

This object exposes helpers to get informations about Systemd units.

Only available on Linux.

`UnitInstalled(unitName) bool`

Returns true if the provided unit is installed.

Systemd.UnitInstalled("nginx") == true

`UnitConfig(unitName, key) string`

Returns the value of the specified key from the specified unit.

Returns an empty value if the unit if not installed and an error if the key does not exist.

Systemd.UnitConfig("nginx", "StandardOutput") == "journal"

`UnitLogsToJournal(unitName) bool`

Returns true if unit stdout/stderr are redirect to journal or journal+console.

Systemd.UnitLogsToJournal("nginx") == true

Windows

This object exposes helpers to get informations about Windows services.

Only available on Windows.

`ServiceEnabled(serviceName) bool`

Returns true if the specified service exists and is configured to start automatically on boot.

Windows.ServiceEnabled("MSSSQLSERVER") == true

Version

`Check(version, constraint) bool`

Performs a semantic version check.

Constraint supports operators like =, !=, <, <=, >, >=, ranges (1.1.1 - 1.3.4), AND with commas (>1, <3), and ~ compatible ranges.

Version.Check(Host.KernelVersion, ">=6.24.0")

Host​

Host.Hostname​

Host.Uptime​

Host.Boottime​

Host.Procs​

Host.OS​

Host.Platform​

Host.PlatformFamily​

Host.PlatformVersion​

Host.KernelVersion​

Host.KernelArch​

Host.VirtualizationSystem​

Host.VirtualizationRole​

Host.HostID​

Path​

Exists(path) bool​

Glob(pattern) []string​

System​

ProcessRunning(name) bool​

Systemd​

UnitInstalled(unitName) bool​

UnitConfig(unitName, key) string​

UnitLogsToJournal(unitName) bool​

Windows​

ServiceEnabled(serviceName) bool​

Version​

Check(version, constraint) bool​