section 3 first draft

Author: jdv

crowdsec-docs/unversioned/user_guides/interactive_se_install/03_acquisition copy.mdx

@@ -11,28 +11,64 @@ import CodeBlock from '@theme/CodeBlock';
 
 # Acquisition
 
-blabla
+Acquisition setup indicates how to retrieve the logs (file, syslog,...) and what parser to use for those logs.  
+The configuration for all acquisitions is located in /etc/crowdsec/acquis.yaml, you can choose to split and store them in /etc/crowdsec/acquis.d/<anyName>.yaml (both method can coexist)
 
 ## Setting up acquisition datasources for detection
 
+TODO: explain how to infer the type give link to collection of prefilled with nicely named placeholders example for all datasource. give 2 examples for each: one minimal and one with all optional fields (+how to use wildcard and exclude for files for example) - can we make a gtp prompt ?
 
 ### Instructions
-...
+... per datasource ?
 
 ### Verification
 
-Let's check ...
+Let's check that parsing is working for all installed parsers and logs.
 
-#### CrowdSec installation health
-
-> [ ]  Check ...
+#### Check acquisition: all necessary logs are read and parsed properly
 
+> [ ] Files are properly read and parsed
+- Use your services normally: navigate on your website, log in via ssh ...
+- Check the metrics
 ```bash
-...
+sudo cscli metrics
 ```
-- You should see ...
-- ...
-
+Alternatively to select only the metrics we're interrested in here:
+```bash
+sudo cscli metrics show acquisition parsers
+```
+- You should see names of the log files you configured in the acquisition section, and the number of lines parsed for each of them.  
+  - The number of "Lines parsed" should be non-zero for each of the files you configured in the acquisition section. and for most cases should be equal to the number of "lines read".
+- The parsers metrics show you what parsers were successfully used. Look for the name of the parsers you installed in the previous step
 
+#### Run on existing logs if you have some
 
+> [ ] Check alerts in past logs
+- Most services open to the internet for more than a few days will have some malicious activity in their logs.
+- You can run the Security Engine on existing logs to check if it detects any malicious activity.
+- ... blabla we have DSN commands in datasources docs.  
+- Try...
+- You will probably see alerts raised when doing this command:
+```bash
+sudo cscli alerts list
+```
+- The alerts will also show up in the console within a few minutes if you enrolled your Security Engine.
+    
 ### Troubleshooting
+If you never see any alerts: However unlikely it's possible that you're not being hit by attacks but first lets check what could be wrong.
+
+<details>
+    <summary>IPs in your logs not properly X-forwarded for</summary>
+    
+    - Check that the logs you are reading have the real Source IP and not the one of one of your proxies or load balancers.
+        - Local/Private IPs are whitelisted by default, so log with non x-forwarded IPs wont trigger alerts. //more details here.. link ...
+        - If you have a reverse proxy, make sure to use the `X-Forwarded-For` header in your logs.
+        - If you have a load balancer, make sure to use the `X-Real-IP` header in your logs.
+</details>
+<details>
+    <summary>You are using custom log formats</summary>
+    
+    The parsers we provide are made to parse default log formats of the supported services.
+    If you are using custom log formats, you will need to create your own parsers or modify the existing ones to match your log format.
+    - You can find more information on how to create your own parsers in the [CrowdSec documentation](https://doc.crowdsec.net/docs/next/log_processor/parsers/intro).
+</details>