enhance: update sidebar and add TLD's

Author: LaurenceJJones

crowdsec-docs/docs/local_api/intro.md

@@ -6,11 +6,11 @@ sidebar_position: 1
 
 # Local API
 
-The Local API (LAPI) is a core component of CrowdSec to :
+The Local API (LAPI) is one of the core component of the Security Engine to :
 
- - Allow CrowdSec machines to push alerts & decisions to a database
- - Allow bouncers to consume said alerts & decisions from database
- - Allow `cscli` to view add or delete decisions
+ - Allow Log Processors to push alerts & decisions to a database
+ - Allow Remediation Components to consume said alerts & decisions from database
+ - Allow `cscli` to manage the database (list, delete, etc)
 
 You can find the swagger documentation [here](https://crowdsecurity.github.io/api_doc/lapi/).
 
@@ -20,40 +20,54 @@ This allows you to create [multi-machines architectures](https://crowdsec.net/mu
 
 There are three kinds of authentication to the Local API :
 
- - Bouncers: they authenticate with a simple API key and can only read decisions
+1. API Keys: they are used to authenticate Remediation Components (bouncers) and can only read decisions
+2. Login/Password: they are used to authenticate Log Processors (machines) and can read, create and delete decisions
+3. TLS client certificates:
+    - they are used to authenticate Remediation Components (bouncers) and Log Processors (machines)
+    - based on the OU field of the certificate, the Local API will determine what permissions the client has as per the restrictions above (log processor or remediation components)
+    - this allows the Local API to authenticate clients without generating the clients before hand if you have a dynamic environment
 
- - Machines: they authenticate with a login and password and can not only read decisions, but create new ones too
+For TLS authentication please see our [dedicated documentation](/local_api/tls_auth.md).
 
- - TLS client certificates: it allows you to connect new bouncers or machines to the local API without registring them first 
+### Remediation Components (Bouncers)
 
-
-### Bouncers
-
-To register a bouncer to your API, you need to run the following command on the server where the API is installed:
+To register a Remediation Component to your API, you need to run the following command on the server where the API is installed:
 
 ```bash
 sudo cscli bouncers add testBouncer
 ```
 
-and keep the generated API token to use it in your bouncers configuration file.
-
-See [here](/local_api/tls_auth.md) for the documentation about TLS authentication.
+and keep the generated API token to use it in your Remediation Component configuration file.
 
-### Machines
+### Log Processors (machines)
 
-To allow a machine to communicate with the Local API, the machine needs to be validated by an administrator of the Local API.
+To allow a log processor to communicate with the Local API, each instance will need it own set of credentials which is validated by an admin of the Local API.
 
 There are two ways to register a CrowdSec to a Local API.
 
-* You can create a machine directly on the API server that will be automatically validated by running the following command on the server where the API is installed:
+1. You can generate credentials directly on the Local API server:
 
 ```bash
 sudo cscli machines add testMachine
 ```
 
-If your CrowdSec runs on the same server as the Local API, then your credentials file will be generated automatically, otherwise you will have to copy/paste them in your remote CrowdSec credentials file (`/etc/crowdsec/local_api_credentials.yaml`)
+:::warning
+if you are running this command on the local API server, most likely it will already have it own credentials file. If you are generating credentials for a remote machine you must pass the `-f` flag to generate the credentials to another file.
+
+```bash
+sudo cscli machines add testMachine -f /path/to/credentials.yaml
+```
+or
+```bash
+sudo cscli machines add testMachine -f- > /path/to/credentials.yaml
+```
+:::
+
+Upon installation of CrowdSec it will generate it own set of credentials to operate the log processor and local API server.
 
-* You can use `cscli` to register to the API server:
+If you are installing these credentials on a remote machine, you must replace the `local_api_credentials.yaml` file within the configuration directory, you can find the location of this directory [here](/u/troubleshooting/security_engine#where-is-configuration-stored) based on your operating system.
+
+2. You can use `cscli` to send a registration request to the Local API server:
 
 ```bash
 sudo cscli lapi register -u <api_url>
@@ -69,8 +83,6 @@ sudo cscli machines validate <machineName>
 You can use `cscli machines list` to list all the machines registered to the API and view the ones that are not validated yet.
 :::
 
-See [here](/local_api/tls_auth.md) for the documentation about TLS authentication.
-
 ## Configuration
 
 ### Client
@@ -79,7 +91,7 @@ By default, `crowdsec` and `cscli` use `127.0.0.1:8080` as the default Local API
 
 #### Register to a Remote API server
 
-* On the remote CrowdSec server, run:
+* On the machine you want to connect to a Local API server, run the following command:
 
 ```bash
 sudo cscli lapi register -u http://<remote_api>:<port>
@@ -96,25 +108,87 @@ sudo cscli machines list # to get the name of the new registered machine
 sudo cscli machines validate <machineName>
 ```
 
+* Restart the CrowdSec service on the machine you registered once validated:
+
+```bash
+sudo systemctl restart crowdsec
+```
+
+#### Disable the registered machine Local API
+
+On the machine you ran `cscli lapi register`, it optimal to disable the Local API component to save on resources since it is now forwarding all alerts/decisions to the Local API server.
+
+Within the `config.yaml` file, set `enable` under `api.server` to `false`:
+
+```yaml
+api:
+  server:
+    enable: false
+```
+
+See where the `config.yaml` file is located on your operating system [here](/u/troubleshooting/security_engine#where-is-configuration-stored)
 
 ### Server
 
 #### Configure listen URL
 
-If you would like your Local API to be used by a remote CrowdSec installation, you will need to modify the URL it listens on.
-Modify the [`listen_uri` option](/configuration/crowdsec_configuration.md#listen_uri) in the main configuration file.
-Then see [how to configure your crowdsec to use a remote API](/u/user_guides/machines_mgmt).
+If you would like your Local API to be used by a remote CrowdSec installation, you will need to modify the URL it listens on as by default it will listen on the loopback interface.
 
+Modify the [`listen_uri`](/configuration/crowdsec_configuration.md#listen_uri) option in the `config.yaml`.
 
 #### Enable SSL
 
-The most common use case of the Local API is to listen on 127.0.0.1. In that case there's no need for
-configuring any ssl layer. In some cases, the local API will listen for other CrowdSec installations that
-will report their triggered scenarios. In that case the endpoint may be configured with ssl.
-You can see how to configure SSL on your Local API [here](/configuration/crowdsec_configuration.md#tls).
+If your Local API is exposed to the internet, it is recommended to enable SSL or at least use a reverse proxy with SSL termination to secure the communication between the Log Processors / Remediation Components and the Local API.
+
+If your Log Processors and Remediation Components are apart of the same LAN or VPN, then this is not necessary step.
+
+##### Local API SSL
+
+You can configure the Local API to use SSL by setting the `tls` option under `api.server` in the `config.yaml` file.
+
+```yaml
+api:
+  server:
+    tls:
+      cert_path: "/path/to/cert.pem"
+      key_path: "/path/to/key.pem"
+```
+
+:::info
+If you are using a self signed certificate on connecting Log Processors and Remediation Components you must enable `insecure_skip_verify` options.
+:::
+
+- Log Processors (machines)
+
+```yaml
+api:
+  client:
+      insecure_skip_verify: true
+```
+
+- Remediation Components (bouncers)
+
+This can differ based on the configuration please refer to the documentation of the component you are using.
+
+If you would like to read the full configuration options for TLS on the Local API please [see here](/configuration/crowdsec_configuration.md#tls).
 
 You can also refer [here](/local_api/tls_auth.md) for the documentation about TLS authentication.
 
+##### Reverse Proxy
+
+We cannot cover all the reverse proxies available, please refer to the documentation of the reverse proxy you are using. However, the reverse proxy must send the connecting IP address as the `X-Forwarded-For` header to the Local API.
+
+However, when the Local API is behind a reverse proxy you will need to configure the `trusted_proxies` and `use_forwarded_for_headers` options under `api.server` within the `config.yaml` file to be able to get the correct IP address within the database.
+
+```yaml
+api:
+  server:
+    use_forwarded_for_headers: true
+    trusted_proxies:
+      - "127.0.0.1" ## Change this to the proxy IP this is presuming the proxy is on the same machine
+```
+
+See where the `config.yaml` file is located on your operating system [here](/u/troubleshooting/security_engine#where-is-configuration-stored)
 
 See the [Local API public documentation](https://crowdsecurity.github.io/api_doc/lapi/).
 

crowdsec-docs/docs/log_processor/intro.mdx

@@ -0,0 +1,103 @@
+---
+id: intro
+title: Introduction
+sidebar_position: 1
+---
+
+The Log Processor is one of the core component of the Security Engine to:
+
+- Read logs from [Data Sources](log_processor/data_sources/introduction.md) in the form of Acquistions.
+- Parse the logs and extract relevant information using [Parsers](log_processor/parsers/introduction.mdx).
+- Enrich the parsed information with additional context such as GEOIP, ASN using [Enrichers](log_processor/parsers/enricher.md).  
+- Monitor the logs for patterns of interest known as [Scenarios](log_processor/scenarios/introduction.mdx).
+- Push alerts to the Local API (LAPI) for alert/decisions to be stored within the database.
+
+!TODO: Add diagram of the log processor pipeline
+- Read logs from datasources
+- Parse the logs
+- Enrich the parsed information
+- Monitor the logs for patterns of interest
+
+
+## Introduction
+
+The Log Processor is an internal core component of the Security Engine in charge of reading logs from Data Sources, parsing them, enriching them, and monitoring them for patterns of interest.
+
+Once a pattern of interest is detected, the Log Processor will push alerts to the Local API (LAPI) for alert/decisions to be stored within the database.
+
+## Data Sources
+
+Data Sources are individual modules that can be loaded at runtime by the Log Processor to read logs from various sources. To define a Data Source, you will need to create an acquisition configuration file.
+
+### Acquistions
+
+Acquisitions are the configuration files that define how the Log Processor should read logs from a Data Source. Acquisitions are defined in YAML format and are loaded by the Log Processor at runtime.
+
+We have two ways to define Acquisitions within the [configuration directory](/u/troubleshooting/security_engine#where-is-configuration-stored) :
+
+- `acquis.yaml` file: This used to be only place to define Acquisitions prior to `1.5.0`. This file is still supported for backward compatibility.
+- `acquis.d` folder: This is a directory where you can define multiple Acquisitions in separate files. This is useful when you want to auto generate files using an external application such as ansible.
+
+```yaml title="Example Acquisition Configuration"
+## /etc/crowdsec/acquis.d/file.yaml
+source: file ## The Data Source module to use
+filenames:
+ - /tmp/foo/*.log
+ - /var/log/syslog
+labels:
+ type: syslog
+```
+
+For more information on Data Sources and Acquisitions, see the [Data Sources](log_processor/data_sources/introduction.md) documentation.
+
+## Collections
+
+Collections are used to group together Parsers, Scenarios, and Enrichers that are related to a specific application. For example the `crowdsecurity/nginx` collection contains all the Parsers, Scenarios, and Enrichers that are needed to parse logs from an NGINX web server and detect patterns of interest.
+
+You can see all available collections on the [Hub](https://app.crowdsec.net/hub/collections).
+
+### Parsers
+
+The parsing pipeline is broken down into multiple stages:
+
+- `s00-raw` : This is the first stage which aims to normalize the logs from various [Data Sources](log_processor/data_sources/introduction.md) into a predictable format for `s01-parse` and `s02-enrich` to work on.
+- `s01-parse` : This is the second stage responsible for extracting relevant information from the normalized logs based on the application type to be used by `s02-enrich` and the [Scenarios](log_processor/scenarios/introduction.mdx).
+- `s02-enrich` : This is the third stage responsible for enriching the extracted information with additional context such as GEOIP, ASN etc.
+
+:::info
+We will give a breif overview of each stage, however, for most users this documentation is not required to get started with CrowdSec but can be used to understand the inner workings of the Log Processor.
+:::
+
+#### `s00-raw`
+
+This stage is responsible for normalizing logs from various [Data Sources](log_processor/data_sources/introduction.md) into a predictable format for `s01-parse` and `s02-enrich` to work on.
+
+For example if you have a `syslog` Data Source and a `container` Data Source writing the same application log lines you wouldnt want `s01-parse` to handle this logic twice, since `s00-raw` can normalize the logs into a predictable format. 
+
+For most instances we have already created these `s00-raw` parsers for you are available to view on the [Hub](https://hub.crowdsec.net/).
+
+#### `s01-parse`
+
+The stage is responsible for extracting relevant information from the normalized logs based on the application type.
+
+The application type is defined in different ways based on the Data Source. Please refer to the [Data Sources](log_processor/data_sources/introduction.md) documentation for more information.
+
+We list all available applications we support on the [Hub](https://hub.crowdsec.net/) and within the readme of the collection our users provide an example Acquisition configuration.
+
+#### `s02-enrich`
+
+The aim of this stage is to enrich the extracted information with additional context such as GEOIP, ASN etc.
+
+However, the stage can also be used to perform whitelist checks, however, we have dedicated documentation for this [here](log_processor/whitelist/introduction.md).
+
+Currently we have a few enrichers available on the [Hub](https://hub.crowdsec.net/), that are installed by default so you dont need to worry about this stage unless you want to create your own.
+
+For more information on Parsers, see the [Parsers](log_processor/parsers/introduction.mdx) documentation.
+
+### Scenarios
+
+Scenarios are the patterns of interest that the Log Processor is monitoring for. When a pattern of interest is detected, the Log Processor will push alerts to the Local API (LAPI) for alert/decisions to be stored within the database.
+
+The patterns can be as simple as tracking the number of failed login attempts or as complex as tracking logging in from multiple countries within a short period of time which can be a indicator of a compromised account or VPN usage.
+
+The community provides a number of scenarios on the [Hub](https://hub.crowdsec.net/) that you can install and use. If you would like to create your own, see the [Scenarios](log_processor/scenarios/introduction.mdx) documentation.

crowdsec-docs/docs/log_processor/parsers/introduction.mdx

@@ -54,11 +54,11 @@ Usually, those parsers should be kept for "expensive" parsers that might rely on
 
 
 
-See the [Hub](https://hub.crowdsec.net/browse/#configurations) to explore parsers, or see below some examples:
+See the [Hub](https://app.crowdsec.net/hub/configurations) to explore parsers, or see below some examples:
 
- - [apache2 access/error log parser](https://github.com/crowdsecurity/hub/blob/master/parsers/s01-parse/crowdsecurity/apache2-logs.yaml)
- - [iptables logs parser](https://github.com/crowdsecurity/hub/blob/master/parsers/s01-parse/crowdsecurity/iptables-logs.yaml)
- - [http logs post-processing](https://github.com/crowdsecurity/hub/blob/master/parsers/s02-enrich/crowdsecurity/http-logs.yaml)
+ - [apache2 access/error log parser](https://app.crowdsec.net/hub/author/crowdsecurity/configurations/apache2-logs)
+ - [iptables logs parser](https://app.crowdsec.net/hub/author/crowdsecurity/configurations/iptables-logs)
+ - [http logs post-processing](https://app.crowdsec.net/hub/author/crowdsecurity/configurations/http-logs)
 
 The parsers usually reside in `/etc/crowdsec/parsers/<STAGE>/`.