Skip to main content

Add new log sources

We will add a file-based acquisition. If you need a different source, adjust the instructions to match your setup.

Once you have identified the service you want to add, use cscli to install its collection.

You can view the available collections on the Hub.

cscli collections add <collection_name>

Once the collection is downloaded, add a new Acquisition so CrowdSec knows where to find the log source.

Each collection on the Hub includes an example Acquisition, which helps you identify files to monitor and labels to assign.

Since version 1.5.0, you can add acquisitions via the acquis.d directory, which avoids editing the main configuration file.

Create the directory if it does not exist

sudo mkdir -p /etc/crowdsec/acquis.d

Create the acquisition file

sudo touch /etc/crowdsec/acquis.d/<collection_name>.yaml

You can skip the following step if you are on Kubernetes.

Add the following contents to the file

<collection_name>.yaml
filenames:
  - "/path/to/your/file.log" ## Single file
  - "/path/to/your/files*" ## Wildcard support
labels:
  type: "<type of logs>" ## Type defined in the parser

Once you have added the acquisitions, test the configuration and restart the service.

sudo crowdsec -t && sudo systemctl restart crowdsec

Next steps

Now that you have added a new acquisition, verify that logs are being parsed correctly. See Are the detected log sources working correctly?.