You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: crowdsec-docs/unversioned/getting_started/healthcheck.mdx
+12-9Lines changed: 12 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,7 @@ The HTTP collection and the Linux collection contain **dummy scenarios** allowin
27
27
:::
28
28
29
29
<details>
30
-
<summary>Test **HTTP** detection</summary>
30
+
<summary>Test HTTP detection</summary>
31
31
Let's trigger the `crowdsecurity/http-generic-test` dummy scenario by calling a *probe path* on your web server.
32
32
33
33
1️⃣ Request your service URL with the following path: `/crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl`
@@ -41,7 +41,7 @@ Note that this scenario has a delay of 5 minutes before it can re-trigger _(blac
41
41
</details>
42
42
43
43
<details>
44
-
<summary>☑️ Test **SSH** detection</summary>
44
+
<summary>Test SSH detection</summary>
45
45
Let's trigger the `crowdsecurity/ssh-generic-test` dummy scenario by logging in to your server via SSH with a specific user.
46
46
47
47
1️⃣ Try to authenticate to your server via SSH using the following user: `crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl`.
@@ -55,7 +55,7 @@ Note that this scenario has a delay of 5 minute before it can re-trigger _(black
55
55
</details>
56
56
57
57
<details>
58
-
<summary>☑️ Test CrowdSec WAF with an AppSec detection</summary>
58
+
<summary>Test CrowdSec WAF with an AppSec detection</summary>
59
59
If you are using an AppSec-capable bouncer and have configured CrowdSec WAF, you can test the detection of an AppSec scenario.
60
60
It's similar to the HTTP detection test, but it will trigger `crowdsecurity/appsec-generic-test`.
61
61
@@ -84,22 +84,23 @@ If not, check the troubleshooting section below
84
84
<summary>🚨 Detection Troubleshooting</summary>
85
85
86
86
*No alerts triggered? Let's investigate: Here are some tests to identify where the issue might be.*
87
-
If you installed CrowdSec Security Engine on the same host as the service you want to protect, the install wizards should have automatically detected the service and installed the appropriate parsers and scenarios.
87
+
88
+
If you installed **CrowdSec Security Engine** on the same **Host** as the service you want to protect, the install wizards should have automatically detected the service and installed the appropriate parsers and scenarios.
89
+
88
90
If you have non-default paths or format for your logs, or if you chose other installation methods (docker, kubernetes..), you may need to manually install the parsers and scenarios.
89
91
90
92
**This troubleshooting section will help you identify the issue and guide you through the necessary steps to fix it.**
91
93
92
94
<details>
93
95
<summary>Acquisition metrics check: are your logs read and parsed?</summary>
94
96
95
-
The acquisition and parsing aspect of CrowdSec is crucial, as it tells The Security Engine which logs to read and how to parse them.
96
-
You can setup multiple datasources (files, syslog, etc.), for more details you can refer to the [datasources documentation](https://doc.crowdsec.net/docs/next/log_processor/data_sources/intro).
97
+
The acquisition and parsing aspect of CrowdSec is crucial, as it tells The Security Engine which logs to read and how to parse them. You can setup multiple datasources (files, syslog, etc.), for more details you can refer to the [datasources documentation](https://doc.crowdsec.net/docs/next/log_processor/data_sources/intro).
97
98
98
99
Let's do a Top Down check using the `cscli metrics` command to see if your logs are being read and parsed correctly.
99
100
100
101
<CodeBlockclassName="language-bash">sudo cscli metrics show acquisition parsers</CodeBlock>
101
102
102
-
- You should see the names of the log files/stream configured in the acquisition files, and the number of lines parsed for each of them.
103
+
- You should see the **names of the log files/stream** configured in the acquisition files, and the number of lines parsed for each of them.
103
104
- The number of "Lines parsed" should be non-zero for each of the files you configured in the acquisition section.
104
105
- The parsers metrics show you what parsers were successfully used. Look for the name of the parsers installed for the logs you're reading
105
106
@@ -118,11 +119,13 @@ If not, check the troubleshooting section below
118
119
<details>
119
120
<summary>Acquisition Troubleshooting: are your logs properly declared as datasources</summary>
120
121
121
-
Your acquisition configuration is located in `/etc/crowdsec/acquis.yaml` or in `/etc/crowdsec/acquis.d/anyName.yaml`.
122
+
Your acquisition configuration is located in the `crowdsec` directory under `acquis.yaml` or `acquis.d/anyName.yaml`.
123
+
The crowdsec directory changes depending on your OS and installation method, for example, on Debian like OS it is usually located in `/etc/crowdsec/`.
124
+
125
+
You may want to check your current acquisition configuration or [add a new acquisition file](https://doc.crowdsec.net/u/getting_started/post_installation/acquisition_new).
122
126
- Check that the datasource is properly setup: file path or correct port for syslog server...
123
127
- Ensure that the type declared matches the parser expected to be used: nginx, apache, syslog, etc.
124
128
- for more information, check the [documentation for the various datasources](https://doc.crowdsec.net/docs/next/log_processor/data_sources/intro)
0 commit comments