CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario

For CrowdSec and open-appsec both deployed on Kubernetes:

For information on how to deploy CrowdSec on Kubernetes with Helm see here: https://artifacthub.io/packages/helm/crowdsec/crowdsec Make sure to add the following configuration to your helm chart's crowdsec-values.yaml file:

1. Set the container_runtime value to “containerd”.

2. Set the following docker image values in the "image" section:

   Copy

   repository = crowdsecurity/crowdsec
   pullPolicy = IfNotPresent
   tag = "v1.4.6"
   # mandatory to use CrowdSec container version v1.4.6 or later

3. Under the "agent" section, add an entry in the "acquisition" array and configure in with the following namespace, pod name and program values:

   Copy

   namespace = "<namespace-of-your-open-appsec-agent>"
   podName = "appsec-open-appsec-*"
   # make sure this query matches the names of the deployed open-appsec pods, especially if you adjusted the name-template parameter for the open-appsec deployment
   program = "openappsec"

4. Under the "agent" section, add 2 entries in the "env" array:

   Copy

   - name: PARSERS
     value: "crowdsecurity/cri-logs crowdsecurity/dateparse-enrich"
   - name: COLLECTIONS
     value: "crowdsecurity/nginx openappsec/openappsec"

For CrowdSec and open-appsec both deployed on Linux:

1. Make sure to have a CrowdSec version >= 1.4.6 installed on your Linux machine, see https://docs.crowdsec.net/docs/getting_started/install_crowdsec/

2. Configure the acquisition for consuming the open-appsec log-files in CrowdSec's main yaml configuration file /etc/crowdsec/config.yaml as follows:

   Copy

   source: file
   filenames:
     - /var/log/nano_agent/cp-nano-http-transaction-handler.log*
   labels:
     type: openappsec

3. Edit the following configuration file /etc/crowdsec/collections/linux.yaml and add the relevant parsers and collections as shown below:

   Copy

   parsers:
     - crowdsecurity/cri-logs
     - crowdsecurity/dateparse-enrich
   
   collections:
     - crowdsecurity/nginx
     - openappsec/openappsec

4. Restart crowdsec to apply the changes by running sudo systemctl restart crowdsec Alternatively you can use CrowdSec's cscli command to apply the changes: sudo cscli capi update

For CrowdSec and open-appsec both deployed on Docker:

1. Make sure to have a CrowdSec container version >= 1.4.6 installed on Docker, see https://hub.docker.com/r/crowdsecurity/crowdsec

2. Configure the acquisition for consuming the open-appsec log-files in CrowdSec's main yaml configuration file /etc/crowdsec/config.yaml mounted into your crowdsec docker container as follows:

3. Edit the following configuration file /etc/crowdsec/collections/linux.yaml mounted into your crowdsec docker container and add the required parsers and collections as shown below:

4. Restart your CrowdSec docker container to apply the changed configuration.