moved content

mmetc · mmetc · commit b2e2def63dcc · 2025-08-28T15:46:28.000+02:00
diff --git a/crowdsec-docs/docs/log_processor/data_sources/introduction.md b/crowdsec-docs/docs/log_processor/data_sources/introduction.md
@@ -6,26 +6,70 @@ sidebar_position: 1
 
 ## Datasources
 
-To be able to monitor applications, the Security Engine needs to access logs.
-DataSources are configured via the [acquisition](/configuration/crowdsec_configuration.md#acquisition_path) configuration, or specified via the command-line when performing cold logs analysis.
+To monitor applications, the Security Engine needs to read logs.
+DataSources define where to access them (either as files, or over the network from a centralized logging service).
 
+They can be defined:
+
+- in [Acquisition files](/configuration/crowdsec_configuration.md#acquisition_path). Each file can contain multiple DataSource definitions.
+- for cold log analysis, you can also specify acquisitions via the command line.
+
+
+### Service detection (automated setup)
+
+When CrowdSec is installed via a package manager on a fresh system, the package may run [`cscli setup`](/cscli/cscli_setup) in **unattended** mode.
+
+The `cscli setup` command will:
+
+- detect installed services and common log file locations
+- install the related Hub collections
+- generate acquisition files under `acquis.d/` as `setup.<service>.yaml` (e.g., `setup.linux.yaml`)
+
+Generated files are meant to be managed by CrowdSec; don’t edit them in place. If you need changes, delete the generated file and create your own.
+
+When upgrading or reinstalling CrowdSec, it detects non-generated or modified files and won’t overwrite your custom acquisitions.
+
+:::caution
+
+Make sure the same data sources are not ingested more than once: duplicating inputs can artificially increase scenario sensitivity.
+
+:::
+
+Examples:
+
+- If an application logs to both `journald` and `/var/log/*`, you usually only need one of them.
+- If an application writes to `/var/log/syslog` or `/var/log/messages`, it’s already acquired by `setup.linux.yaml` (since 1.7) or `acquis.yam`. You don’t need to add a separate acquisition for the same logs.
+
+For config-managed deployments (e.g., Ansible), set the environment variable `CROWDSEC_SETUP_UNATTENDED_DISABLE` to any non-empty value to skip the automated setup.
+In that case, ensure you configure at least one data source and install the OS collection (e.g., crowdsecurity/linux).
+
+### Assisted service detection (semi-automated setup)
+
+If you installed new applications and want to detect the service detection again, running [`cscli setup`](/cscli/cscli_setup) yourself will guide you through the
+automated setup, with confirmation prompts. You will receive a warning if you already configured some acquisition yourself but they won't be
+modified by `cscli`.
+
+Note that `cscli setup` will not remove any collection or acquisition file in `acquis.d/setup.<service>.yaml`, even if the service has been uninstalled since the file creation.
+
+
+## Datasources modules
 
 Name | Type | Stream | One-shot
 -----|------|--------|----------
-[Appsec](/log_processor/data_sources/appsec.md) | expose HTTP service for the Appsec component | yes | no
-[AWS cloudwatch](/log_processor/data_sources/cloudwatch.md) | single stream or log group | yes | yes
-[AWS kinesis](/log_processor/data_sources/kinesis.md)| read logs from a kinesis strean | yes | no
-[AWS S3](/log_processor/data_sources/s3.md)| read logs from a S3 bucket | yes | yes
-[docker](/log_processor/data_sources/docker.md) | read logs from docker containers | yes | yes
-[file](/log_processor/data_sources/file.md) | single files, glob expressions and .gz files | yes | yes
-[HTTP](/log_processor/data_sources/http.md) | read logs from an HTTP endpoint | yes | no
-[journald](/log_processor/data_sources/journald.md) | journald via filter | yes | yes
-[Kafka](/log_processor/data_sources/kafka.md)| read logs from kafka topic | yes | no
-[Kubernetes Audit](/log_processor/data_sources/kubernetes_audit.md) | expose a webhook to receive audit logs from a Kubernetes cluster  | yes | no
-[Loki](/log_processor/data_sources/loki.md) | read logs from loki | yes | yes
-[VictoriaLogs](/log_processor/data_sources/victorialogs.md) | read logs from VictoriaLogs | yes | yes
-[syslog service](/log_processor/data_sources/syslog_service.md) | read logs received via syslog protocol | yes | no
-[Windows Event](/log_processor/data_sources/windows_event_log.md)| read logs from windows event log | yes | yes
+[Appsec](/log_processor/data_sources/appsec) | expose HTTP service for the Appsec component | yes | no
+[AWS cloudwatch](/log_processor/data_sources/cloudwatch) | single stream or log group | yes | yes
+[AWS kinesis](/log_processor/data_sources/kinesis)| read logs from a kinesis strean | yes | no
+[AWS S3](/log_processor/data_sources/s3)| read logs from a S3 bucket | yes | yes
+[docker](/log_processor/data_sources/docker) | read logs from docker containers | yes | yes
+[file](/log_processor/data_sources/file) | single files, glob expressions and .gz files | yes | yes
+[HTTP](/log_processor/data_sources/http) | read logs from an HTTP endpoint | yes | no
+[journald](/log_processor/data_sources/journald) | journald via filter | yes | yes
+[Kafka](/log_processor/data_sources/kafka)| read logs from kafka topic | yes | no
+[Kubernetes Audit](/log_processor/data_sources/kubernetes_audit) | expose a webhook to receive audit logs from a Kubernetes cluster  | yes | no
+[Loki](/log_processor/data_sources/loki) | read logs from loki | yes | yes
+[VictoriaLogs](/log_processor/data_sources/victorialogs) | read logs from VictoriaLogs | yes | yes
+[syslog service](/log_processor/data_sources/syslog_service) | read logs received via syslog protocol | yes | no
+[Windows Event](/log_processor/data_sources/windows_event_log)| read logs from windows event log | yes | yes
 
 ## Common configuration parameters
 
@@ -46,6 +90,7 @@ An expression that will run after the acquisition has read one line, and before
 It allows to modify an event (or generate multiple events from one line) before parsing.
 
 For example, if you acquire logs from a file containing a JSON object on each line, and each object has a `Records` array with multiple events, you can use the following to generate one event per entry in the array:
+
 ```
 map(JsonExtractSlice(evt.Line.Raw, "Records"), ToJsonString(#))
 ```
@@ -70,31 +115,39 @@ If not set, then crowdsec will think all logs happened at once, which can lead t
 A map of labels to add to the event.
 The `type` label is mandatory, and used by the Security Engine to choose which parser to use.
 
-## Acquisition configuration example
+## Acquisition configuration examples
 
-```yaml title="/etc/crowdsec/acquis.yaml"
+```yaml title="/etc/crowdsec/acquis.d/nginx.yaml"
 filenames:
   - /var/log/nginx/*.log
 labels:
   type: nginx
----
+```
+
+```yaml title="/etc/crowdsec/acquis.d/linux.yaml"
 filenames:
  - /var/log/auth.log
  - /var/log/syslog
 labels:
   type: syslog
----
+```
+
+```yaml title="/etc/crowdsec/acquis.d/docker.yaml"
 source: docker
 container_name_regexp:
  - .*caddy*
 labels:
   type: caddy
 ---
-...
+source: docker
+container_name_regexp:
+ - .*nginx*
+labels:
+  type: nginx
 ```
 
 :::warning
 The `labels` and `type` fields are necessary to dispatch the log lines to the right parser.
 
-Also note between each datasource is `---` this is needed to separate multiple YAML documents (each datasource) in a single file.
+In the last example we defined multiple datasources separated by the line `---`, which is the standard YAML marker.
 :::
diff --git a/crowdsec-docs/docs/log_processor/intro.mdx b/crowdsec-docs/docs/log_processor/intro.mdx
@@ -50,32 +50,8 @@ labels:
  type: syslog
 ```
 
-When CrowdSec is installed via a package manager on a fresh system, the package manager may run `cscli setup` in **unattended** mode.
-It detects installed services and common log file locations, installs the related Hub collections, and generates acquisition files under `acquis.d/setup.<service>.yaml`, e.g. `setup.linux.yaml`).
-
-Generated files are meant to be managed by crowdsec; don’t edit them in place. If you need changes, delete the generated file and create your own.
-
-When upgrading or reinstalling crowdsec, it detects non-generated or modified files and won’t overwrite your custom acquisitions.
-
-:::caution
-
-Make sure the same data sources aren’t ingested more than once: duplicating inputs can artificially increase scenario sensitivity.
-
-:::
-
-Examples:
-
- - If an application logs to both `journald` and `/var/log/*`, you usually only need one of them.
-
- - If an application writes to `/var/log/syslog` or `/var/log/messages`, it’s already acquired by `setup.linux.yaml` (since 1.7) or `acquis.yam`. You don’t need to add a separate acquisition for the same logs.
-
-For config-managed deployments (e.g., Ansible), set the environment variable `CROWDSEC_SETUP_UNATTENDED_DISABLE` to any non-empty value to skip the automated setup.
-In that case, ensure you configure at least one data source and install the OS collection (e.g., crowdsecurity/linux).
-
 For more information on Data Sources and Acquisitions, see the [Data Sources](log_processor/data_sources/introduction.md) documentation.
 
-For more information on the automated configuration, see the command `cscli setup`.
-
 ## Collections
 
 Collections are used to group together Parsers, Scenarios, and Enrichers that are related to a specific application. For example the `crowdsecurity/nginx` collection contains all the Parsers, Scenarios, and Enrichers that are needed to parse logs from an NGINX web server and detect patterns of interest.
diff --git a/crowdsec-docs/unversioned/getting_started/post_installation/acquisition.mdx b/crowdsec-docs/unversioned/getting_started/post_installation/acquisition.mdx
@@ -5,13 +5,14 @@ title: Acquisition
 
 # Acquisition
 
-By default when CrowdSec is installed it will attempt to detect the running services and acquire the appropriate log sources and [Collections](https://docs.crowdsec.net/docs/next/collections/intro).
+By default when CrowdSec is installed it will attempt to [detect the running services](/log_processor/data_sources#service-detection) and acquire the appropriate log sources and [Collections](https://docs.crowdsec.net/docs/next/collections/intro).
 
-However, we should check that this detection worked or you may want to manually acquire additional [Collections](https://docs.crowdsec.net/docs/next/collections/intro) for other services that are not detected.
+However, we should check that this detection worked and the log locations are correct.
+You may want to manually acquire additional [Collections](https://docs.crowdsec.net/docs/next/collections/intro) for the services that were not detected.
 
 ## What log sources are already detected?
 
-To find what log sources are already detected, you can use the `cscli` command line tool.
+To find out which log sources are providing data to crowdsec, you can query the CrowdSec metrics with the `cscli` command line tool.
 
 ```bash
 cscli metrics show acquisition
