Hello !
Sure, let’s take this occasion to further improve the documentation, it is indeed still quite obtuse
We’re going to make machine #1 the “master” (with the dashboard etc.) : It has crowdsec, the local API and the dashboard, and machine #2 will simply be a slave to it, pushing its alerts there :
- make sure machine #1 API can be reached from machine #2
- generate a new machine account on machine #1 that can be used on machine #2
- configure machine #2 so that it pushes its alerts to machine #1
Assuming you have crowdsec already install on both machines, we are going to make sure that machine #2 pushes its alerts to machine #1 instead of dealing with them locally (so your assumption was right) :
- on machine #1, let’s edit
/etc/crowdsec/config.yaml
to make sure that the API can be reached from machine #2. You’re going to find the api → server section to edit the listen address :
api:
...
server:
log_level: info
listen_uri: 0.0.0.0:8080
note: with this change, once you restart crowdsec, the API should be accessible from other machines. Ensure that you can telnet 123.456.789.001 8080
from machine #2 before moving further
- on machine #1, let’s create a new machine credentials :
$ sudo cscli machines add machine_2 -a -f machine_2
$ cat ./machine_2
url: http://127.0.0.1:8080/
login: machine_2
password: xxxx
note: what matters here is the login and the password, we’re going to use them later
- on machine #2, we’re going to configure crowdsec so that it pushes alerts to machine #1. This time, we’re going to first of all edit
/etc/crowdsec/local_api_credentials.yaml
(you can see this file referenced in the /etc/crowdsec/config.yaml
file, api → client section). It is the file that tells crowdsec to which API endpoint (and with which credentials) it should speak to.
url: http://123.456.789.001:8080/
login: machine_2
password: xxxx
note: I replace the url with the example IP of machine #1, use the real ip here.
Once this is done, if you trigger an attack on machine #2, you should see it in cscli decisions list
and the dashboard on machine #1. If you’re using cscli
from machine #2, it should as well speak directly to machine #1
Please let me know. Once it’s good, I’ll update the documentation with this