Skip to main content
Version: v1.3.4


To be able to detect things, crowdsec needs to access logs. DataSources are configured via the acquisition configuration, or specified via the command-line when performing cold logs analysis.

filesingle files, glob expressions and .gz filesyesyes
journaldjournald via filteryesyes
AWS cloudwatchsingle stream or log groupyesyes
syslog serviceread logs received via syslog protocolyesno
dockerread logs from docker containersyesyes
AWS kinesisread logs from a kinesis streanyesno

While various data sources are supported, they all share the same common configuration structure :

source: <source>
type: syslog
#log_level: <log_level>

All the data sources supports :

  • a log_level to configure verbosity of given source (trace, debug, info, warning, error)
  • a labels map with a mandatory type field
  • a source indicating which implementation the configuration referes to (file, journald, syslog, cloudwatch ...)
  • and a section that is specific to the data source implemention, see dedicated sections bellow

The labels and type subsection are crucial as this is what is going to indicate which parsers pickup the log line.

CrowdSec ConsoleCrowdSec Console