# CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario

When using CrowdSec alongside open-appsec to consume CrowdSec Threat Intelligence you might also want to have the CrowdSec security engine parse the security logs created by open-appsec's multiple security layers to add additional security indicators to your local CrowdSec "ecosystem" and share intelligence with CrowdSec Threat Intelligence to contribute to their Community Blocklist. \
To achieve this you can use our open-appsec collection available from the [CrowdSec Hub](https://hub.crowdsec.net/author/openappsec/collections/openappsec).

#### Required Parsers and Collections

In order to parse open-appsec logs within CrowdSec the following parsers require installation:

* [crowdsecurity/cri-logs](https://hub.crowdsec.net/author/crowdsecurity/configurations/cri-logs)
* [crowdsecurity/dateparse-enrich](https://hub.crowdsec.net/author/crowdsecurity/configurations/dateparse-enrich)

The following Collections must be installed:

* [crowdsecurity/nginx](https://hub.crowdsec.net/author/crowdsecurity/collections/nginx)
* [openappsec/openappsec](https://hub.crowdsec.net/author/openappsec/collections/openappsec)

### Required CrowdSec Configuration for Parsing open-appsec Logs

{% tabs %}
{% tab title="Kubernetes" %}

#### For CrowdSec and open-appsec both deployed on Kubernetes:

For information on how to deploy CrowdSec on Kubernetes with Helm see here:\
<https://artifacthub.io/packages/helm/crowdsec/crowdsec>\
\
Make sure to add the following configuration to your helm chart's **crowdsec-values.yaml** file:

1. Set the **container\_runtime** value to “**containerd**”.
2. Set the following docker image values in the "**image**" section:

   <pre><code><strong>repository = crowdsecurity/crowdsec
   </strong>pullPolicy = IfNotPresent
   tag = "v1.4.6"
   # mandatory to use CrowdSec container version v1.4.6 or later
   </code></pre>
3. Under the "**agent**" section, add an entry in the "**acquisition**" array and configure in with the following namespace, pod name and program values:

   <pre><code>namespace = "&#x3C;namespace-of-your-open-appsec-agent>"
   podName = "appsec-open-appsec-*"
   # make sure this query matches the names of the deployed open-appsec pods, especially if you adjusted the name-template parameter for the open-appsec deployment
   <strong>program = "openappsec"
   </strong></code></pre>
4. Under the "**agent**" section, add 2 entries in the "**env**" array:

   ```
   - name: PARSERS
     value: "crowdsecurity/cri-logs crowdsecurity/dateparse-enrich"
   - name: COLLECTIONS
     value: "crowdsecurity/nginx openappsec/openappsec"
   ```

{% endtab %}

{% tab title="Linux" %}

#### For CrowdSec and open-appsec both deployed on Linux:

1. Make sure to have a CrowdSec version >= 1.4.6 installed on your Linux machine, see <https://docs.crowdsec.net/docs/getting_started/install_crowdsec/>
2. Configure the acquisition for consuming the open-appsec log-files in CrowdSec's main yaml configuration file `/etc/crowdsec/config.yaml` as follows:

   ```
   source: file
   filenames:
     - /var/log/nano_agent/cp-nano-http-transaction-handler.log*
   labels:
     type: openappsec
   ```
3. Edit the following configuration file `/etc/crowdsec/collections/linux.yaml` \
   and add the relevant parsers and collections as shown below:

   ```
   parsers:
     - crowdsecurity/cri-logs
     - crowdsecurity/dateparse-enrich

   collections:
     - crowdsecurity/nginx
     - openappsec/openappsec
   ```
4. Restart crowdsec to apply the changes by running\
   `sudo systemctl restart crowdsec`\
   \
   Alternatively you can use CrowdSec's `cscli` command to apply the changes:\
   `sudo cscli capi update`
   {% endtab %}

{% tab title="Docker" %}

#### For CrowdSec and open-appsec both deployed on Docker:

1. Make sure to have a CrowdSec container version >= 1.4.6 installed on Docker, see <https://hub.docker.com/r/crowdsecurity/crowdsec>
2. Configure the acquisition for consuming the open-appsec log-files in CrowdSec's main yaml configuration file `/etc/crowdsec/config.yaml` mounted into your crowdsec docker container as follows:

   ```
   source: docker
   container_name:
    - open-appsec-agent
   labels:
     type: openappsec
   ```
3. Edit the following configuration file `/etc/crowdsec/collections/linux.yaml` \
   mounted into your crowdsec docker container and add the required parsers and collections as shown below:

   ```
   parsers:
     - crowdsecurity/cri-logs
     - crowdsecurity/dateparse-enrich

   collections:
     - crowdsecurity/nginx
     - openappsec/openappsec
   ```
4. Restart your CrowdSec docker container to apply the changed configuration.
   {% endtab %}
   {% endtabs %}

{% hint style="danger" %}
CrowdSec version needs to be above or equal to 1.4.6 for open-appsec log parsing integration to work. Note that if you use specify "latest" as tag you might still get an older version below v1.4.6.
{% endhint %}

{% hint style="info" %}
For further details on this please consult the CrowdSec documentation available here:\
[https://docs.crowdsec.net ](https://docs.crowdsec.net)
{% endhint %}

If you didn't configure open-appsec to bounce malicious source IP addresses based on CrowdSec's Threat Intelligence using the Community Blocklist you can follow the steps explained here to configure this in couple easy steps:

{% content-ref url="crowdsec-bouncer-support" %}
[crowdsec-bouncer-support](https://docs.openappsec.io/integrations/crowdsec/crowdsec-bouncer-support)
{% endcontent-ref %}