You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: crowdsec-docs/docs/log_processor/data_sources/introduction.md
+1-38Lines changed: 1 addition & 38 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,47 +9,10 @@ DataSources define where to access them (either as files, or over the network fr
9
9
10
10
They can be defined:
11
11
12
-
- in [Acquisition files](/configuration/crowdsec_configuration.md#acquisition_path). Each file can contain multiple DataSource definitions.
12
+
- in [Acquisition files](/configuration/crowdsec_configuration.md#acquisition_path). Each file can contain multiple DataSource definitions. This configuration can be generated automatically, please refer to the [Service Discovery documentation](/log_processor/service-discovery-setup/intro.md)
13
13
- for cold log analysis, you can also specify acquisitions via the command line.
14
14
15
15
16
-
### Service detection (automated setup)
17
-
18
-
When CrowdSec is installed via a package manager on a fresh system, the package may run [`cscli setup`](/cscli/cscli_setup) in **unattended** mode.
19
-
20
-
The `cscli setup` command will:
21
-
22
-
- detect installed services and common log file locations
23
-
- install the related Hub collections
24
-
- generate acquisition files under `acquis.d/` as `setup.<service>.yaml` (e.g., `setup.linux.yaml`)
25
-
26
-
Generated files are meant to be managed by CrowdSec; don’t edit them in place. If you need changes, delete the generated file and create your own.
27
-
28
-
When upgrading or reinstalling CrowdSec, it detects non-generated or modified files and won’t overwrite your custom acquisitions.
29
-
30
-
:::caution
31
-
32
-
Make sure the same data sources are not ingested more than once: duplicating inputs can artificially increase scenario sensitivity.
33
-
34
-
Examples:
35
-
36
-
- If an application logs to both `journald` and `/var/log/*`, you usually only need one of them.
37
-
- If an application writes to `/var/log/syslog` or `/var/log/messages`, it’s already acquired by `setup.linux.yaml` (since 1.7) or `acquis.yaml`. You don’t need to add a separate acquisition for the same logs.
38
-
39
-
:::
40
-
41
-
For config-managed deployments (e.g., Ansible), set the environment variable `CROWDSEC_SETUP_UNATTENDED_DISABLE` to any non-empty value to skip the automated setup.
42
-
In that case, ensure you configure at least one data source and install the OS collection (e.g., crowdsecurity/linux).
43
-
44
-
### Assisted service detection (semi-automated setup)
45
-
46
-
If you installed new applications and want to detect the service detection again, running [`cscli setup`](/cscli/cscli_setup) yourself will guide you through the
47
-
automated setup, with confirmation prompts. You will receive a warning if you already configured some acquisition yourself but they won't be
48
-
modified by `cscli`.
49
-
50
-
Note that `cscli setup` will not remove any collection or acquisition file in `acquis.d/setup.<service>.yaml`, even if the service has been uninstalled since the file creation.
0 commit comments