From 2b729f2342997ab079b9173a99aa2e6dba518e7d Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Mon, 30 Oct 2023 17:38:24 +0100 Subject: [PATCH 1/2] add sentinel notification plugin doc --- .../docs/notification_plugins/sentinel.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 crowdsec-docs/docs/notification_plugins/sentinel.md diff --git a/crowdsec-docs/docs/notification_plugins/sentinel.md b/crowdsec-docs/docs/notification_plugins/sentinel.md new file mode 100644 index 00000000..91397e39 --- /dev/null +++ b/crowdsec-docs/docs/notification_plugins/sentinel.md @@ -0,0 +1,82 @@ +--- +id: sentinel +title: Sentinel Plugin +--- + +The sentinel plugin is by default shipped with your CrowdSec installation. The following guide shows how to enable it. + +## Enabling the plugin: + +In your profile file (by default `/etc/crowdsec/profiles.yaml`) , uncomment the section +``` +#notifications: +# - sentinel_default +``` + +## Configuring the plugin: + +### Adding the plugin configuration + +By default there would be a sentinel config at `/etc/crowdsec/notifications/sentinel.yaml`. +You will need to specify: + - customer_id + - shared_key + - log_type + +Example config: + +```yaml +type: sentinel # Don't change +name: sentinel_default # Must match the registered plugin in the profile + +# One of "trace", "debug", "info", "warn", "error", "off" +log_level: info +# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s" +# group_threshold: # Amount of alerts that triggers a message before has expired, eg "10" +# max_retry: # Number of attempts to relay messages to plugins in case of error +# timeout: # Time to wait for response from the plugin before considering the attempt a failure, eg "10s" + +#------------------------- +# plugin-specific options + +# The following template receives a list of models.Alert objects +# The output goes in the http request body +format: | + {{.|toJson}} + +customer_id: XXX-XXX +shared_key: XXXXXXX +log_type: crowdsec + +``` + +**Note** that the `format` is a [go template](https://pkg.go.dev/text/template), which is fed a list of [Alert](https://pkg.go.dev/github.com/crowdsecurity/crowdsec@master/pkg/models#Alert) objects. + +### Configuration options + +#### customer_id + +Also known as the `workspace id`. +You can get it from the azure portal in `Log Analytics workspace` -> `YOUR_WORKSPACE` -> `Settings` -> `Agents` + +#### shared_key + +Also known as the `primary key`. +You can get it from the azure portal in `Log Analytics workspace` -> `YOUR_WORKSPACE` -> `Settings` -> `Agents` + +#### log_type + +The log type is the name of the log that will be sent to azure. + +Assuming you chose `crowdsec`, it will appear as `crowdsec_CL` in azure. + + +## Final Steps: + +Let's restart crowdsec + +```bash +sudo systemctl restart crowdsec +``` + +You can verify whether the plugin is properly working by triggering scenarios using tools like wapiti, nikto etc. \ No newline at end of file From b0e26a6dd8eddad9f14be822f7934be05bdc4159 Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Mon, 30 Oct 2023 17:48:09 +0100 Subject: [PATCH 2/2] add it to the sidebar --- crowdsec-docs/sidebars.js | 1 + 1 file changed, 1 insertion(+) diff --git a/crowdsec-docs/sidebars.js b/crowdsec-docs/sidebars.js index 3049c43e..72c0ac00 100644 --- a/crowdsec-docs/sidebars.js +++ b/crowdsec-docs/sidebars.js @@ -345,6 +345,7 @@ ], }, "notification_plugins/email", + "notification_plugins/sentinel", "notification_plugins/slack", "notification_plugins/splunk", "notification_plugins/template_helpers",