custom crowdsec parser for os-opnwaf

Started by gerstepe, December 16, 2025, 03:47:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 16, 2025, 03:47:35 PM
Hi,

i'm using the Web Application Firewall from the Business Edition (os-OPNWAF) and wanted to integrate it into CrowdSec.
I tried to configure the Apache error log in crowdsec aquisitions and added the apache2 and modsecurity collections.
Log parsing does not seem to work.
I was wondering if someone tried this already or made a custom log parser for the OPNWAF logs? I couldn't find anything here or on the web.
December 25, 2025, 01:47:32 AM #1 Last Edit: December 25, 2025, 06:41:44 AM by someone
I am new to WAF as I tried explaing we need it and why, they deleted my posts. I get 50 attacks an hour through the browser and was unaware that could happen, bypasses opnsense firewall and normal suricata completely. A WAF  and apparmor stops them. Also opnsense has the tools which I have learned about. to mitigate these attacks but I dont see much on it. So the WAF I have researched run off the proxy server, I saw some that the log location had to be written into the proxy server config file. .Some WAf need a connector program to the proxy if not already compiled in. OPNWAF may already have it. OPNWAF should I think run on its own, not sure what your trying to do. Crowdsec is an IP based WAF. OPNWAF uses owasp modsecurity rulesets and a few other things. I may have to look at OPNWAF, I was working on Coraza in Haproxy, open-appsec in nginx, and naxsi in nginx but says I have to manually put in owasp rules in naxsi, and squid and or nginx decryption to suricata using a transparent proxy, or reverse proxy .. There are others here who know.Are you getting log errors. Check where they are sent. Is it working getting errors or blocks or page blocks. There is a test commandin the Docs, there are websites to test it with. Did you check crowdsec forums and docs. Crowdsec shows integrating open-appsec into crowdsec engine.. Which would give crowdsec owasp modsecurity rules. Check for similar or others. If you are running opnwaf why integrate with crowdsec.
December 25, 2025, 08:36:14 AM #2
Nobody deleted your posts, they were moved to the general section.

You did not answer anything the OP needed.

Its about the log format that crowdsec needs to consume via a collection (https://app.crowdsec.net/hub/author/crowdsecurity/collections/apache2)

The log format of the apache2 access logs need to be original and not preprocessed by syslog-ng, thats why its most likely not working for OP.

Please stop writing this mix of noise that adds nothing of value. If you want to answer a question, do it but without all the confused rambling.
Hardware:
DEC740
December 25, 2025, 06:31:02 PM #3
Second try, I got hacked again, killed my computer
Thanks
Thats just the way I talk, like deprecated speech, I have to leave a lot out, and I have to talk fast
because i dont know how long I have before another hacking crash
There is a reason for what I brought up but if I explain it all, it could be ten times longer

thanks again
December 25, 2025, 06:38:38 PM #4
You have never provided any evidency of these alleged "hacks".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions