Messages

I am probably misunderstanding how Crowdsec works, but from what I have read, it seems that Crowdsec doesn't monitor the packets going across the interfaces like other IDS/IPS software does, but instead just watches firewall logs for any known abusive patterns. Does this mean that if I have any IP blocking lists in the Opnsense firewall, that I need to enable logging on each entry in order for Crowdsec to "see" any potential patterns? Or is the enable logging option geometry game 2 only for the users eyes, and internally Opnsense still keeps logs?

I ask because after adding in some block lists, my Crowdsec Console reports that it's been very quiet from my setup, which could mean either I screwed up the settings and its no longer reporting (not likely because it still sees the firewall and other systems reporting on my network), or as thier own popup help states, that it could just be there is nothing to report on (the blocklists are blocking any suspicious activity, but Crowdsec doesn't see it).

CrowdSec relies on logs, so if a firewall rule doesn't log, it won't be analyzed. In OPNsense, blocked traffic is only visible to CrowdSec if logging is enabled on those rules, otherwise it effectively "doesn't exist" from its perspective.

Sounds like OMV might not fully trust the new subnet or interface from OPNsense. I'd check OMV's allowed networks and also verify gateway/DNS settings on the OMV box to make sure it points to OPNsense slope game 2 , not the old router.