Enable Suricata fast.log to better enable CrowdSec integration

[jonny5]

To get your Suricata logs to be parsed by CrowdSec, specifically enable the fast.log as it has just what CrowdSec needs and no difficult parsing issues

You will need to change a few things:

1.
Enable fast.log output in /usr/local/etc/suricata/suricata.yaml:
https://github.com/opnsense/core/issues/7083

2.
Add log rotation for /var/log/suricata/fast.log
https://github.com/opnsense/core/commit/128756bd1c148b0d917fa1cad2f649b66f24f8e5#commitcomment-135018139

3.
Add the /usr/local/etc/crowdsec/acquis.d/suricata.yaml file and set to include ONLY fast.log (you do not want eve.json, that would be duplicate alerts/decisions and CrowdSec has some difficulty with the 'printable_payload' that we love seeing in ELK):
https://github.com/opnsense/plugins/commit/b465377760dde6cd23e8976bda54d087b572ae4c#commitcomment-135019889

Hope this helps everyone out! ^_^

[jonny5]

It is currently not a feature, nor will I be available to make it one any time soon. Till then, here's how you do it:
https://www.nova-labs.net/homelab-opnsense-crowdsec-multi-server/

Step 1

The OPNSense CrowdSec plugin installs observing a few default logs from OPNSense (lighttpd/sshd/pf) but does not come configured for any Suricata log listening. A CrowdSec Acquis file must be created or modified to get the feature we are adding here and without this, the fast.log file will go unobserved, you will also need the CrowdSec Hub elements to enable the parsing/alerting for Suricata, so console into the OPNSense and enter the following command (ssh in, select option '8'):

Code Select Expand

cscli collections install crowdsecurity/suricata
cscli collections install crowdsecurity/whitelist-good-actors
cscli parsers install crowdsecurity/whitelists

Then after creating the following file, it is my recommendation to hit 'save' on the CrowdSec plugin GUI of your OPNSense, this appears to reload instead of restarting the service as desired.

/usr/local/etc/crowdsec/acquis.d/suricata.yaml:

Code Select Expand

---
filenames:
  - /var/log/suricata/fast.log
labels:
  type: suricata-fastlogs
---

Step 2

Now that CrowdSec is aware and 'listening' if you will, we will want to create, and rotate those fast.log logs, let's setup the rotation of '/var/log/suricata/fast.log' as a custom config

/usr/local/etc/newsyslog.conf.d/suricatafast.conf:

Code Select Expand

# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/suricata/fast.log root:wheel 640 3 * $D0 BZ /var/run/suricata.pid 1

Step 3

To note: It appears the 'custom.yaml' file you will likely edit, needs the entire 'output:' stanza of the original (/usr/local/etc/suricata/suricata.yaml) Suricata config and then edit as desired – the example below is the working 'custom.yaml' with the only edit from original 'output:' being to change 'fast' to be enabled – 'enabled: yes'.

Worst case currently, an admin will have to be aware of updates to the original and diff the two wisely, as I develop that I will share here. It appears like you replace at 'stanza' level, so the other features (threading/etc.) of Suricata appear to be performing as expected, but, my experience on this feels suddenly fresher than it used to. It would possibly be better to have this config at the surface of the OPNSense available to the same spaces as the 'EVE' logs for Suricata. Might try to develop/contribute in the future – barely have time for this post lol. ^_^

/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml:

Code Select Expand

%YAML 1.1
---
# empty stub for custom modifications, add custom persistent config below
# Configure the type of alert (and other) logging you would like.
outputs:

  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
...

^ IMPORTANT - I'm not including the whole stanza of "output:" here, please refer to your own file on your OPNSense