Whitelist Configuration

whitelists is configured on LAPI or on each separate agent?

Hi,

Yes, only in each agent.

1 Like

Sorry to dig up this old thread but maybe it has changed or not.
First what’s LAPI (but that’s optional)?

Is it still local or should we configure whitelist on the cantralized dashboard?

Also I 've noticed that every files from

/etc/crowdsec/parsers/s02-enrich

are all logical link from somewhere else. So should I change the directory and redo a ln for my new file too or can I do just a new file there?

Also if I need to create a new file then what should be the first line

name:
and also the rest of the lines because that is not specified in the doc either

Hey :wave:

First what’s LAPI

LAPI is the Local API that is running on each security engine to enable communication to Remediations unless you specify to turn if off, you only need to know about this concept if you are connecting multiple servers together in a “multi server setup”

are all logical link from somewhere else

Hub items are held within /etc/crowdsec/hub so to abstract the installation of these files they are all symlinks to these folders. If you want to create a local whitelist, then you do not need to create a symlink or host elsewhere you can create the file directly in the folder.

Also if I need to create a new file then what should be the first line

Whitelist are a mixture of a “parser” with specialized keys you can see the define format here, however, I recommend to view our examples as a starting point

okey that’s indeed what I did and it apparently worked.

and note for later: you can’t put different lists with different reasons in the same file (because that’s what I did in the beginning and crowdsec was then trying to start on a loop…

Now since those IPs I did put on my whitelists do need to be shared how do I do that?
Some of the context: those IPs which were from the monitoring tools from mysterium network were considered as malicious by crowdsec (because of scan of orts I guess, did not check the logs yet).
So how would I share this whitelist accross all my servers for example?
Is there a way to do that on the dashboard? Or Will I need to upload those files in each crowdsec installation? or use the LAPI structure which (I did not read into yet) involved I guess a central node receiving all the logs from all the servers something like that?

Will I need to upload those files in each crowdsec installation?

Yes if you want to whitelist on parsing you need to distribute those across the security engines.

use the LAPI structure which (I did not read into yet) involved I guess a central node receiving all the logs from all the servers something like that?

Not following this sentence, if you are centralizing all the logs then you only need a single instance of CrowdSec. If you meant to say centralizing all of the alerts you can use the profiles workaround

okey yeah so I really need some tutorials about how to manage several servers having to use the same whitelists and be able to centralized all of them => so knowing which architecture si best, if it is better to send every logs to a specific server or another architecture.

thanks for the leads