Situation:
Since I use opnsense for dial-up, I turned off ips mode for suricata. I installed the Collections named suricata in crowdsec hub, which contains a suricata log parser and a defense rule, but it doesn't seem to be working properly.
I used the command to see how it was working
and found that it wasn't parsing any of the log files
Which means that it wasn't doing its job, or maybe even It doesn't even know where suricata's log files are?Because I've looked at other log parsers with that command, such as crowdsecurity/sshd-logs and it's working fine. This makes me quite puzzled.
How I can solve this problem?
System and Crowdsec version:
system: 23.7.6
crowdsec: 1.0.7
Thank you!
---
I've been using crowdsec since September and have had my eye on this since then, tried searching for it but couldn't find it. Thought about reading the crowdsec documentation to find a solution, but I'm just a rookie and what's in there is still difficult for me.
Until just now, I searched on Github and found an Issue
https://github.com/crowdsecurity/hub/issues/594#issuecomment-1356885402
which mentioned the file acquis.yaml, I modified the file according to the content in the Issue, and then looked at crowdsec's logs, which indeed began to show the operation of the defence rules.
Well, I finally found a solution.
Since I use opnsense for dial-up, I turned off ips mode for suricata. I installed the Collections named suricata in crowdsec hub, which contains a suricata log parser and a defense rule, but it doesn't seem to be working properly.
I used the command to see how it was working
Code Select
sudo cscli parsers inspect crowdsecurity/suricata-logs
and found that it wasn't parsing any of the log files
Code Select
User@OPNsense:~ % sudo cscli parsers inspect crowdsecurity/suricata-logs
Password:
type: parsers
stage: s01-parse
name: crowdsecurity/suricata-logs
filename: suricata-logs.yaml
description: Parse suricata fast.log
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/suricata
remote_path: parsers/s01-parse/crowdsecurity/suricata-logs.yaml
version: "0.6"
local_path: /usr/local/etc/crowdsec/parsers/s01-parse/suricata-logs.yaml
localversion: "0.6"
localhash: b3a55203e30b26f2cc1765278545389d79551838bc28643cf21a3150fc2efed6
installed: true
downloaded: true
uptodate: true
tainted: false
local: false
Current metrics :
User@OPNsense:~ % sudo cscli parsers inspect crowdsecurity/sshd-logs
type: parsers
stage: s01-parse
name: crowdsecurity/sshd-logs
filename: sshd-logs.yaml
description: Parse openSSH logs
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/sshd
remote_path: parsers/s01-parse/crowdsecurity/sshd-logs.yaml
version: "2.2"
local_path: /usr/local/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
localversion: "2.2"
localhash: 509cfb3fecfc6922de0d09eb54c8c63b773678d7ff543ef0e3590ea5a8b3dc2e
installed: true
downloaded: true
uptodate: true
tainted: false
local: false
Current metrics :
- (Parser) crowdsecurity/sshd-logs:
╭────────────────────────────────┬──────┬────────┬──────────╮
│ Parsers │ Hits │ Parsed │ Unparsed │
├────────────────────────────────┼──────┼────────┼──────────┤
│ file:/var/log/audit/latest.log │ 1 │ 0 │ 1 │
╰────────────────────────────────┴──────┴────────┴──────────╯
Which means that it wasn't doing its job, or maybe even It doesn't even know where suricata's log files are?Because I've looked at other log parsers with that command, such as crowdsecurity/sshd-logs and it's working fine. This makes me quite puzzled.
How I can solve this problem?
System and Crowdsec version:
system: 23.7.6
crowdsec: 1.0.7
Thank you!
---
I've been using crowdsec since September and have had my eye on this since then, tried searching for it but couldn't find it. Thought about reading the crowdsec documentation to find a solution, but I'm just a rookie and what's in there is still difficult for me.
Until just now, I searched on Github and found an Issue
https://github.com/crowdsecurity/hub/issues/594#issuecomment-1356885402
which mentioned the file acquis.yaml, I modified the file according to the content in the Issue, and then looked at crowdsec's logs, which indeed began to show the operation of the defence rules.
Well, I finally found a solution.