wip

Author: mmetc

crowdsec-docs/docs/log_processor/intro.mdx

@@ -87,3 +87,9 @@ You can see more information on Whitelists in the [documentation](log_processor/
 Alert Context is additional context that can sent with an alert to the LAPI. This context can be shown locally via `cscli` or within the [CrowdSec Console](https://app.crowdsec.net/signup) if you opt in to share context when you enroll your instance.
 
 You can read more about Alert Context in the [documentation](log_processor/alert_context/intro.md).
+
+### Service Discovery & Setup
+
+On installation, CrowdSec can automatically detect existing services, download the relevant Hub collections, and generate acquisitions based on discovered log files.
+
+You can [customize or override these steps](log_processor/service-discovery-setup/intro.md), for example when provisioning multiple systems or using configuration management tools.

crowdsec-docs/docs/log_processor/service-discovery-setup/detect-yaml.md

@@ -0,0 +1,91 @@
+---
+id: detect-yaml
+title: detect.yaml file format
+sidebar_position: 1
+---
+
+# File layout: `detect.yaml`
+A minimal detection file is a YAML map with a top‐level `detect:` key. Under it, each entry describes one service plan:
+
+```yaml
+# detect.yaml
+---
+detect:
+  apache2-file-apache2:
+    when:
+      - Systemd.UnitInstalled("apache2.service") or len(Path.Glob("/var/log/apache2/*.log")) > 0
+    hub_spec:
+      collections:
+        - crowdsecurity/apache2
+    acquisition_spec:
+      filename: apache2.yaml
+      datasource:
+        source: file
+        filenames:
+          - /var/log/apache2/*.log
+        labels:
+          type: apache2
+```
+
+Fields
+
+- `when`: a list of boolean expressions evaluated on the host. Examples include:
+  - `Systemd.UnitInstalled("<unit>")`, `Windows.ServiceEnabled("<name>")`
+  - `Host.OS == "linux"`, `Host.OS == "windows"`
+  - `Path.Exists("/path/file")`, `len(Path.Glob("/path/*.log")) > 0`
+  - `System.ProcessRunning("<binary>")`
+- `hub_spec`: which Hub items to install (collections/parsers/scenarios, etc.). Unknown item types are preserved and passed through.
+- `acquisition_spec`: how to generate a per‐service acquisition file:
+  - `filename`: base name (no slashes). The actual path will be `acquis.d/setup.<filename>.yaml`.
+  - `datasource`: a map validated against the selected `source` (e.g., `file`, `journalctl`, `docker`, `wineventlog`, `cloudwatch`, `kinesis`, …). Required fields vary per source; the CLI validates them for you.
+
+Examples
+
+Basic OS / Hub only:
+
+```yaml
+detect:
+  linux:
+    when:
+      - Host.OS == "linux"
+    hub_spec:
+      collections: [crowdsecurity/linux]
+```
+
+`journalctl` source with a filter:
+
+```yaml
+detect:
+  caddy-journal:
+    when:
+      - Systemd.UnitInstalled("caddy.service")
+      - len(Path.Glob("/var/log/caddy/*.log")) == 0
+    hub_spec:
+      collections: [crowdsecurity/caddy]
+    acquisition_spec:
+      filename: caddy.yaml
+      datasource:
+        source: journalctl
+        labels: {type: caddy}
+        journalctl_filter:
+          - "_SYSTEMD_UNIT=caddy.service"
+```
+
+Windows event log:
+
+```yaml
+detect:
+  windows_auth:
+    when: [ Host.OS == "windows" ]
+    hub_spec:
+      collections: [crowdsecurity/windows]
+    acquisition_spec:
+      filename: windows_auth.yaml
+      datasource:
+        source: wineventlog
+        event_channel: Security
+        event_ids: [4625, 4623]
+        event_level: information
+        labels: {type: eventlog}
+```
+

crowdsec-docs/docs/log_processor/service-discovery-setup/intro.md

@@ -0,0 +1,148 @@
+---
+id: intro
+title: Service Discovery & Setup
+sidebar_position: 1
+---
+
+
+> Implementation notes & validation
+>
+> - The CLI can list supported services from your file (`--list-supported-services`). It also validates each datasource by type and errors out on unknown/misplaced fields (e.g., `source` missing; wrong keys for `journalctl`/`docker`; filename with slashes).
+>
+
+---
+
+# Use your custom `detect.yaml`
+You can provide your file in two ways:
+
+```bash
+# Path flag (recommended)
+cscli setup detect --detect-config /path/to/detect.yaml
+
+# Or via environment variable
+CROWDSEC_SETUP_DETECT_CONFIG=/path/to/detect.yaml cscli setup detect
+```
+
+Helpful flags:
+- `--yaml` – render the setup plan as YAML (easy to review/edit); default output is JSON.
+- `--force <svc>` – pretend detection matched for `<svc>` (repeatable).
+- `--ignore <svc>` – drop `<svc>` from the plan even if matched (repeatable).
+- `--skip-systemd` – disable systemd‐based detection (useful in containers/chroots).
+- `--list-supported-services` – print the service keys present in your file and exit.
+
+**End‑to‑end flow (typical)**
+```bash
+# 1) build a plan from your rules
+cscli setup detect --detect-config ./detect.yaml --yaml > setup.yaml
+
+# 2) validate that plan (optional but recommended)
+cscli setup validate ./setup.yaml
+
+# 3) install Hub items + write acquis files
+cscli setup install-hub    ./setup.yaml
+cscli setup install-acquisition ./setup.yaml --acquis-dir /etc/crowdsec/acquis.d
+```
+
+# Examples: override defaults (nginx path, etc.)
+If your logs live in non‑standard locations, just encode that in `acquisition_spec`.
+
+```yaml
+# detect.yaml
+---
+detect:
+  nginx-custom:
+    when:
+      - Systemd.UnitInstalled("nginx.service") or len(Path.Glob("/srv/logs/nginx/*.log")) > 0
+    hub_spec:
+      collections: [crowdsecurity/nginx]
+    acquisition_spec:
+      filename: nginx.yaml
+      datasource:
+        source: file
+        filenames:
+          - /srv/logs/nginx/*.log  # <- your path here
+        labels: {type: nginx}
+```
+
+You can also define detection purely by process name when systemd isn’t a good signal:
+```yaml
+  app-by-process:
+    when: [ System.ProcessRunning("myappd") ]
+    acquisition_spec:
+      filename: myappd.yaml
+      datasource:
+        source: file
+        filenames: [ /var/log/myappd/*.log ]
+        labels: {type: myappd}
+```
+
+---
+
+# Generated acquisition files & coexistence with your own files
+When you install acquisition from a setup plan, the CLI writes one file per service as `setup.<name>.yaml` in the acquisition directory (typically `/etc/crowdsec/acquis.d`). The content is **prefixed with a header** that includes a truncated `cscli-checksum` and a comment stating it was generated by `cscli setup`.
+
+- Files carrying a valid `cscli-checksum` are considered **generated** and may be overwritten by future runs.
+- Files **without** a valid checksum are treated as **manually edited**; in interactive flows, the CLI shows a colorized diff and asks before overwriting. In unattended flows, the command refuses to proceed if manual files are detected.
+- Either way, the safest practice is: **don’t edit generated files**. If you need changes, delete the generated `setup.<name>.yaml` and create your own hand‑managed file instead.
+
+> Tips
+> - The actual on‑disk path is computed as `acquis.d/setup.<filename>` where `<filename>` comes from `acquisition_spec.filename`.
+> - Use `--acquis-dir` to target a different directory.
+> - `--dry-run` prints what would be created without writing files.
+
+---
+
+# Unattended installs with a custom detect file
+Package installers often call:
+
+```bash
+cscli setup unattended
+```
+
+This mode:
+- uses the same `--detect-config` and `--acquis-dir` flags;
+- never prompts for confirmation;
+- will skip itself entirely if `CROWDSEC_SETUP_UNATTENDED_DISABLE` is non‑empty (handy for Ansible/automation);
+- installs Hub items and writes `setup.*.yaml` files if and only if there are no conflicting manual acquisitions.
+
+---
+
+# Validation & troubleshooting
+- **Validate your setup plan** before writing files:
+  ```bash
+  cscli setup validate ./setup.yaml
+  ```
+- Common validation errors (examples):
+  - missing `datasource.source`
+  - wrong keys for a source type (e.g., `filename` under `journalctl`)
+  - missing mandatory fields (e.g., `journalctl_filter` for `journalctl`, `containers/services` for `docker`)
+  - `acquisition_spec.filename` contains slashes/backslashes
+
+---
+
+# Reference snippets
+- Linux collection detection:
+  ```yaml
+  detect:
+    linux:
+      when: [ Host.OS == "linux" ]
+      hub_spec:
+        collections: [crowdsecurity/linux]
+  ```
+- MariaDB/MySQL file detection with distro fallbacks:
+  ```yaml
+  detect:
+    mariadb:
+      when:
+        - Systemd.UnitInstalled("mariadb.service") or Path.Exists("/var/log/mariadb/mariadb.log")
+      hub_spec: { collections: [crowdsecurity/mariadb] }
+      acquisition_spec:
+        filename: mariadb.yaml
+        datasource:
+          source: file
+          labels: {type: mysql}
+          filenames:
+            - /var/log/mysql/error.log
+            - /var/log/mariadb/mariadb.log
+  ```
+