Using "Machines"

crowdsec
4

Hello !

Sure, let’s take this occasion to further improve the documentation, it is indeed still quite obtuse :slightly_smiling_face:

We’re going to make machine #1 the “master” (with the dashboard etc.) : It has crowdsec, the local API and the dashboard, and machine #2 will simply be a slave to it, pushing its alerts there :

  • make sure machine #1 API can be reached from machine #2
  • generate a new machine account on machine #1 that can be used on machine #2
  • configure machine #2 so that it pushes its alerts to machine #1

Assuming you have crowdsec already install on both machines, we are going to make sure that machine #2 pushes its alerts to machine #1 instead of dealing with them locally (so your assumption was right) :

  1. on machine #1, let’s edit /etc/crowdsec/config.yaml to make sure that the API can be reached from machine #2. You’re going to find the api → server section to edit the listen address :
api:
...
  server:
    log_level: info
    listen_uri: 0.0.0.0:8080

note: with this change, once you restart crowdsec, the API should be accessible from other machines. Ensure that you can telnet 123.456.789.001 8080 from machine #2 before moving further

  1. on machine #1, let’s create a new machine credentials :
$ sudo cscli machines add machine_2 -a -f machine_2
$ cat ./machine_2
url: http://127.0.0.1:8080/
login: machine_2
password: xxxx

note: what matters here is the login and the password, we’re going to use them later

  1. on machine #2, we’re going to configure crowdsec so that it pushes alerts to machine #1. This time, we’re going to first of all edit /etc/crowdsec/local_api_credentials.yaml (you can see this file referenced in the /etc/crowdsec/config.yaml file, api → client section). It is the file that tells crowdsec to which API endpoint (and with which credentials) it should speak to.
url: http://123.456.789.001:8080/
login: machine_2
password: xxxx

note: I replace the url with the example IP of machine #1, use the real ip here.

Once this is done, if you trigger an attack on machine #2, you should see it in cscli decisions list and the dashboard on machine #1. If you’re using cscli from machine #2, it should as well speak directly to machine #1

Please let me know. Once it’s good, I’ll update the documentation with this :slight_smile:

3 Likes