You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/faq.md
+8-1
Original file line number
Diff line number
Diff line change
@@ -53,13 +53,20 @@ SQLite by default as it's suitable for standalone/single-machine setups.
53
53
54
54
## How to control granularity of actions ? (whitelists, simulation etc.)
55
55
56
-
{{v1X.crowdsec.name}} support both [whitelists]((/Crowdsec/v1/write_configurations/whitelist/) and [simulation](/Crowdsec/v1/references/simulation/) :
56
+
{{v1X.crowdsec.name}} support both [whitelists](/Crowdsec/v1/write_configurations/whitelist/) and [simulation](/Crowdsec/v1/references/simulation/) :
57
57
58
58
- Whitelists allows you to "discard" events or overflows
59
59
- Simulation allows you to simply cancel the decision that is going to be taken, but keep track of it
60
60
61
61
{{v1X.profiles.htmlname}} allows you to control which decision will be applied to which alert.
62
62
63
+
## How to know if my setup is working correctly ? Some of my logs are unparsed, is it normal ?
64
+
65
+
Yes, crowdsec parsers only parse the logs that are relevant for scenarios :)
66
+
67
+
Take a look at `cscli metrics`[and understand what do they mean](/Crowdsec/v1/getting_started/crowdsec-tour/#reading-metrics) to know if your setup is correct.
68
+
69
+
63
70
## How to add whitelists ?
64
71
65
72
You can follow this [guide](/Crowdsec/v1/write_configurations/whitelist/)
Copy file name to clipboardexpand all lines: docs/v1.X/docs/getting_started/crowdsec-tour.md
+28
Original file line number
Diff line number
Diff line change
@@ -190,6 +190,26 @@ INFO[0000] Local Api Bouncers Metrics:
190
190
191
191
</details>
192
192
193
+
### Reading metrics
194
+
195
+
Those metrics are a great way to know if your configuration is correct :
196
+
197
+
The `Acquisition Metrics` is a great way to know if your parsers are setup correctly :
198
+
199
+
- If you have 0 **LINES PARSED** for a source : You are probably *missing* a parser, or you have a custom log format that prevents the parser from understanding your logs.
200
+
- However, it's perfectly OK to have a lot of **LINES UNPARSED** : Crowdsec is not a SIEM, and only parses the logs that are relevant to its scenarios. For example, [ssh parser](https://hub.crowdsec.net/author/crowdsecurity/configurations/sshd-logs), only cares about failed authentication events (at the time of writting).
201
+
-**LINES POURED TO BUCKET** tell you that your scenarios are matching your log sources : it means that some events from this log source made all their way to an actual scenario
202
+
203
+
204
+
The `Parser Metrics` will let you troubleshoot eventual parser misconfigurations :
205
+
-**HITS** is how many events where fed to this specific parser
206
+
-**PARSED** and **UNPARSED** indicate how many events successfully come out of the parser
207
+
208
+
For example, if you have a custom log format in nginx that is not supported by the default parser, you will end up seeing a lot of **UNPARSED** for this specific parser, and 0 for **PARSED**.
209
+
210
+
For more advanced metrics understanding, [take a look at the dedicated prometheus documentation](/Crowdsec/v1/observability/prometheus/).
Collections are bundles of parsers/scenarios that form a coherent ensemble to analyze/detect attacks for a specific service. It is the most common way to deploy configurations.
218
238
219
239
They can be found and browsed on the {{v1X.hub.htmlname}}
240
+
241
+
## Scalability
242
+
243
+
Crowdsec uses go-routines for parsing and enriching logs, pouring events to buckets and manage outputs.
244
+
245
+
By default, one routine of each exists (should be enough to handle ~1K EP/s), and can be changed in `crowdsec_service` of the main configuration file via the [parser_routines](/Crowdsec/v1/references/crowdsec-config/#parser_routines), [buckets_routines](/Crowdsec/v1/references/crowdsec-config/#buckets_routines) and [output_routines](/Crowdsec/v1/references/crowdsec-config/#output_routines) directives.
246
+
247
+
Please keep in mind that thanks to the [http API]({{v1X.lapi.swagger}}), the workload of log parsing can be splitted amongst several agents pushing to a single {{v1X.lapi.Htmlname}}.
And as these alerts are as well pushed to database, it mean you can view them in metabase, or using cscli !
36
36
37
37
38
+
!!! warning
39
+
To work in forensic mode, crowdsec-agent relies on [crowdsecurity/dateparse-enrich](https://hub.crowdsec.net/author/crowdsecurity/configurations/dateparse-enrich) to parse date formats. See dedicated hub page for supported formats.
40
+
41
+
38
42
## Injecting alerts into existing database
39
43
40
44
If you already have a running crowdsec/Local API running and want to inject events into existing database, you can run crowdsec directly :
0 commit comments