Skip to main content

Acquisition

By default, CrowdSec tries to detect running services (CrowdSec >= 1.7.0) and install the appropriate log sources and Collections.

You should verify detection worked and that log paths are correct. If a service was not detected, install additional Collections manually.

What log sources are already detected?

To find out which log sources are providing data to CrowdSec, query metrics with cscli.

cscli metrics show acquisition

How to interpret the output

The output shows log sources currently being monitored.

If the table is empty, or the source you expect is missing, you may need to update configuration. See next steps.

Are the detected log sources working correctly?

When you run cscli metrics show acquisition, you will see sources and columns such as Lines read and Lines whitelisted.

CrowdSec tails acquisitions at startup, so if the log source has no activity since the service started, you may see an empty table.

Acquisition Metrics:
╭────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│             Source             │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/nginx/access.log │ 3          │ 3            │ -              │ -                      │ 3                 │
╰────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

Here is a short explanation of the columns:

  • Lines read - The number of lines read from the log source.
  • Lines parsed - The number of lines that were successfully parsed.
  • Lines unparsed - The number of lines that were not parsed.
  • Lines poured to bucket - The number of lines that were not parsed and were sent to the bucket.
  • Lines whitelisted - The number of lines that were successfully parsed and were whitelisted before being sent to the bucket.

In some cases you will see more unparsed lines than parsed lines. This can happen when a Collection only targets a subset of log lines.

What services are currently supported?

You can find a list of Collections on the Hub.

Collections are a group of Parsers and Scenarios.

Next steps

If you see all the services you want covered, return to the post-installation steps.

Follow the how to setup a new acquisition section if you see some log sources are not being monitored.

Follow the troubleshooting section if your table is empty.