moved content

mmetc · mmetc · commit ecbdcd2991f3 · 2025-08-28T15:31:31.000+02:00
diff --git a/crowdsec-docs/docs/log_processor/data_sources/introduction.md b/crowdsec-docs/docs/log_processor/data_sources/introduction.md
@@ -6,9 +6,55 @@ sidebar_position: 1
 
 ## Datasources
 
-To be able to monitor applications, the Security Engine needs to access logs.
-DataSources are configured via the [acquisition](/configuration/crowdsec_configuration.md#acquisition_path) configuration, or specified via the command-line when performing cold logs analysis.
+To monitor applications, the Security Engine needs to read logs.
+DataSources define where to access them (either as files, or over the network from a centralized logging service).
 
+They can be defined:
+
+- in [Acquisition files](/configuration/crowdsec_configuration.md#acquisition_path). Each file contains one or more DataSource definitions, separated by a line with three dashes (`---`).
+- for cold log analysis, you can also specify acquisitions via the command line.
+
+
+### Service detection (automated setup)
+
+When CrowdSec is installed via a package manager on a fresh system, the package may run `cscli setup` in **unattended** mode.
+
+The `cscli setup` command will:
+
+- detect installed services and common log file locations
+- install the related Hub collections
+- generate acquisition files under `acquis.d/` as `setup.<service>.yaml` (e.g., `setup.linux.yaml`)
+
+Generated files are meant to be managed by CrowdSec; don’t edit them in place. If you need changes, delete the generated file and create your own.
+
+When upgrading or reinstalling CrowdSec, it detects non-generated or modified files and won’t overwrite your custom acquisitions.
+
+:::caution
+
+Make sure the same data sources are not ingested more than once: duplicating inputs can artificially increase scenario sensitivity.
+
+:::
+
+Examples:
+
+- If an application logs to both `journald` and `/var/log/*`, you usually only need one of them.
+- If an application writes to `/var/log/syslog` or `/var/log/messages`, it’s already acquired by `setup.linux.yaml` (since 1.7) or `acquis.yam`. You don’t need to add a separate acquisition for the same logs.
+
+For config-managed deployments (e.g., Ansible), set the environment variable `CROWDSEC_SETUP_UNATTENDED_DISABLE` to any non-empty value to skip the automated setup.
+In that case, ensure you configure at least one data source and install the OS collection (e.g., crowdsecurity/linux).
+
+For more information on the automated configuration, see the command `cscli setup`.
+
+### Assisted service detection (semi-automated setup)
+
+If you installed new applications and want to detect the service detection again, running `cscli setup` yourself will guide you through the
+automated setup, with confirmation prompts. You will receive a warning if you already configured some acquisition yourself but they won't be
+modified by `cscli`.
+
+Note that `cscli setup` will not remove any collection or acquisition file in `acquis.d/setup.<service>.yaml`, even if the service has been uninstalled since the file creation.
+
+
+## Datasources modules
 
 Name | Type | Stream | One-shot
 -----|------|--------|----------
@@ -70,31 +116,34 @@ If not set, then crowdsec will think all logs happened at once, which can lead t
 A map of labels to add to the event.
 The `type` label is mandatory, and used by the Security Engine to choose which parser to use.
 
-## Acquisition configuration example
+## Acquisition configuration examples
 
-```yaml title="/etc/crowdsec/acquis.yaml"
+```yaml title="/etc/crowdsec/acquis.d/nginx.yaml"
 filenames:
   - /var/log/nginx/*.log
 labels:
   type: nginx
----
+```
+
+```yaml title="/etc/crowdsec/acquis.d/linux.yaml"
 filenames:
  - /var/log/auth.log
  - /var/log/syslog
 labels:
   type: syslog
----
+```
+
+```yaml title="/etc/crowdsec/acquis.d/docker.yaml"
 source: docker
 container_name_regexp:
  - .*caddy*
 labels:
   type: caddy
----
-...
 ```
 
 :::warning
 The `labels` and `type` fields are necessary to dispatch the log lines to the right parser.
 
+You can define multiple datasources in the same yaml file, separated by the line `---` 
 Also note between each datasource is `---` this is needed to separate multiple YAML documents (each datasource) in a single file.
 :::
diff --git a/crowdsec-docs/docs/log_processor/intro.mdx b/crowdsec-docs/docs/log_processor/intro.mdx
@@ -50,32 +50,8 @@ labels:
  type: syslog
 ```
 
-When CrowdSec is installed via a package manager on a fresh system, the package manager may run `cscli setup` in **unattended** mode.
-It detects installed services and common log file locations, installs the related Hub collections, and generates acquisition files under `acquis.d/setup.<service>.yaml`, e.g. `setup.linux.yaml`).
-
-Generated files are meant to be managed by crowdsec; don’t edit them in place. If you need changes, delete the generated file and create your own.
-
-When upgrading or reinstalling crowdsec, it detects non-generated or modified files and won’t overwrite your custom acquisitions.
-
-:::caution
-
-Make sure the same data sources aren’t ingested more than once: duplicating inputs can artificially increase scenario sensitivity.
-
-:::
-
-Examples:
-
- - If an application logs to both `journald` and `/var/log/*`, you usually only need one of them.
-
- - If an application writes to `/var/log/syslog` or `/var/log/messages`, it’s already acquired by `setup.linux.yaml` (since 1.7) or `acquis.yam`. You don’t need to add a separate acquisition for the same logs.
-
-For config-managed deployments (e.g., Ansible), set the environment variable `CROWDSEC_SETUP_UNATTENDED_DISABLE` to any non-empty value to skip the automated setup.
-In that case, ensure you configure at least one data source and install the OS collection (e.g., crowdsecurity/linux).
-
 For more information on Data Sources and Acquisitions, see the [Data Sources](log_processor/data_sources/introduction.md) documentation.
 
-For more information on the automated configuration, see the command `cscli setup`.
-
 ## Collections
 
 Collections are used to group together Parsers, Scenarios, and Enrichers that are related to a specific application. For example the `crowdsecurity/nginx` collection contains all the Parsers, Scenarios, and Enrichers that are needed to parse logs from an NGINX web server and detect patterns of interest.
diff --git a/crowdsec-docs/unversioned/getting_started/post_installation/acquisition.mdx b/crowdsec-docs/unversioned/getting_started/post_installation/acquisition.mdx
@@ -5,13 +5,14 @@ title: Acquisition
 
 # Acquisition
 
-By default when CrowdSec is installed it will attempt to detect the running services and acquire the appropriate log sources and [Collections](https://docs.crowdsec.net/docs/next/collections/intro).
+By default when CrowdSec is installed it will attempt to [detect the running services](/log_processor/data_sources#service-detection) and acquire the appropriate log sources and [Collections](https://docs.crowdsec.net/docs/next/collections/intro).
 
-However, we should check that this detection worked or you may want to manually acquire additional [Collections](https://docs.crowdsec.net/docs/next/collections/intro) for other services that are not detected.
+However, we should check that this detection worked and the log locations are correct.
+You may want to manually acquire additional [Collections](https://docs.crowdsec.net/docs/next/collections/intro) for the services that were not detected.
 
 ## What log sources are already detected?
 
-To find what log sources are already detected, you can use the `cscli` command line tool.
+To find out which log sources are providing data to crowdsec, you can query the CrowdSec metrics with the `cscli` command line tool.
 
 ```bash
 cscli metrics show acquisition
