OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: cookiemonster on July 07, 2026, 04:52:07 PM

Title: Feedback on using Crowdsec in OPNSense.
Post by: cookiemonster on July 07, 2026, 04:52:07 PM
From https://forum.opnsense.org/index.php?topic=52223.msg269736;topicseen#msg269736 and initially for @philippe_crowdsec

Thank you first of all for allowing to reach you with these product questions.
As I wrote there, I was enthusiastic at the beginning with Crowdsec when you came on this forum to request early users and feedback for it. I went on to install the Crowdsec plugin and moved to a distributed setup where OPN runs the LAPI and expose it to other servers. So far so good.
What disappointed me since then in I think was 2022 was the lack of inclusion of the developments in Crowdsec into this OPN plugin. It can still only install os-crowdsec, the plugin itself, crowdsec and the crowdsec-firewall-bouncer.
So it can "only" list the hub plugins (parsers, scenarios..) and decisions on the OPNsense admin interface but not manage them. Not add them, modify or remove them. The opnsense-generic collection is at version 0.5 on the hub. Version 0.2 for brute force protection. Tells a lot, like it was done and then left. No more collections are available for it. The history in github tells us it was created in 2022, updated once in 2023 and a bit of a generic spruce up this year for labels, tags and such like.

One of the main difficulties in integrating is with other OPN plugins. For example if I run the haproxy plugin (which I do), then the parsing of its log file mainly reports failures to parse. Whether it is because is not vanilla haproxy or freebsd logging I don't know but I had a hard time last time to get your people's attention to this on discord https://discord.com/channels/921520481163673640/1296828602398015540/threads/1342642325226000404 where my continuous attempts were categorised at spam.

Maybe you can begin to see my point. Initial setup of plugin fine but seems almost abandoned since. Interactions in a medium like Discord is hard for a technical issue, and then "staff" were less than helpful.

So, although I don't want it to be a complaintfest, I wanted to provide the context and difficulties.
What do I want from the thread?
A view on what can we expect as improvements to the OPNSense experience of using Crowdsec. Right now it feels we are providing signals and in return a mostly IDS. I'd like to have it explained how to get to use IDP for instance leveraging WAF for haproxy using the plugin.
And does anybody else feel they're using it better than the defaults. How ?

Thank you for reading so far.

p.s. I also contributed this https://forum.opnsense.org/index.php?topic=44839.0 but now I'd love to use SPOA instead but that is not possible due to https://github.com/opnsense/plugins/issues/4923
Title: Re: Feedback on using Crowdsec in OPNSense.
Post by: Patrick M. Hausen on July 07, 2026, 06:46:23 PM
It's because of OPNsense using RFC 5424 file format (IIRC). That's why e.g. Caddy has an option to log in traditional plain ASCII.