OpenWRT doesn't default to output syslog to file, so how does the crowdsec package scan for threats beyond importing IP bans from rest of world?
Default setup has this:
cscli metrics
INFO[15-12-2022 04:55:05 PM] Local Api Metrics:
+----------------------+--------+------+
| ROUTE | METHOD | HITS |
+----------------------+--------+------+
| /v1/alerts | GET | 7 |
| /v1/decisions/stream | GET | 625 |
| /v1/watchers/login | POST | 10 |
+----------------------+--------+------+
INFO[15-12-2022 04:55:05 PM] Local Api Machines Metrics:
+--------------------------------------------------+------------+--------+------+
| MACHINE | ROUTE | METHOD | HITS |
+--------------------------------------------------+------------+--------+------+
| d26ffdf46b234e47a83324358a9aa308saAtnf4uLr27aJ3P | /v1/alerts | GET | 7 |
+--------------------------------------------------+------------+--------+------+
INFO[15-12-2022 04:55:05 PM] Local Api Bouncers Metrics:
+------------------------------------+----------------------+--------+------+
| BOUNCER | ROUTE | METHOD | HITS |
+------------------------------------+----------------------+--------+------+
| crowdsec-firewall-bouncer-QUBnPT2q | /v1/decisions/stream | GET | 625 |
+------------------------------------+----------------------+--------+------+
So I changed OpenWRT config to output syslog to a file. Now i get:
cscli metrics
INFO[15-12-2022 04:55:05 PM] Acquisition Metrics:
+----------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+----------------------+------------+--------------+----------------+------------------------+
| file:/var/log/syslog | 1251 | - | 1251 | - |
+----------------------+------------+--------------+----------------+------------------------+
INFO[15-12-2022 04:55:05 PM] Parser Metrics:
+---------------------------------+------+--------+----------+
| PARSERS | HITS | PARSED | UNPARSED |
+---------------------------------+------+--------+----------+
| child-crowdsecurity/syslog-logs | 2502 | - | 2502 |
| crowdsecurity/syslog-logs | 1251 | - | 1251 |
+---------------------------------+------+--------+----------+
INFO[15-12-2022 04:55:05 PM] Local Api Metrics:
+----------------------+--------+------+
| ROUTE | METHOD | HITS |
+----------------------+--------+------+
| /v1/alerts | GET | 7 |
| /v1/decisions/stream | GET | 625 |
| /v1/watchers/login | POST | 10 |
+----------------------+--------+------+
INFO[15-12-2022 04:55:05 PM] Local Api Machines Metrics:
+--------------------------------------------------+------------+--------+------+
| MACHINE | ROUTE | METHOD | HITS |
+--------------------------------------------------+------------+--------+------+
| d26ffdf46b234e47a83324358a9aa308saAtnf4uLr27aJ3P | /v1/alerts | GET | 7 |
+--------------------------------------------------+------------+--------+------+
INFO[15-12-2022 04:55:05 PM] Local Api Bouncers Metrics:
+------------------------------------+----------------------+--------+------+
| BOUNCER | ROUTE | METHOD | HITS |
+------------------------------------+----------------------+--------+------+
| crowdsec-firewall-bouncer-QUBnPT2q | /v1/decisions/stream | GET | 625 |
+------------------------------------+----------------------+--------+------+
Which makes "more sense" in that i can see syslog being read.
In terms of alerts, there are none (only the community blocklist)
Zero "Lines Parsed" from syslog:
root@OpenWrt:/etc/crowdsec# cscli alerts list
+----+-----------------------------------+------------------------+---------+----+-----------+-------------------------------+
| ID | VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT |
+----+-----------------------------------+------------------------+---------+----+-----------+-------------------------------+
| 8 | crowdsecurity/community-blocklist | update : +32/-0 IPs | | | ban:32 | 2022-12-15 15:27:20 +0000 UTC |
| 7 | crowdsecurity/community-blocklist | update : +15000/-0 IPs | | | ban:14981 | 2022-12-15 12:30:35 +0000 UTC |
| 6 | crowdsecurity/community-blocklist | update : +15000/-0 IPs | | | ban:53 | 2022-12-15 10:25:22 +0000 UTC |
| 5 | crowdsecurity/community-blocklist | update : +15000/-0 IPs | | | ban:348 | 2022-12-14 21:29:08 +0000 UTC |
| 4 | crowdsecurity/community-blocklist | update : +15000/-0 IPs | | | ban:61 | 2022-12-14 19:29:08 +0000 UTC |
| 3 | crowdsecurity/community-blocklist | update : +15000/-0 IPs | | | ban:58 | 2022-12-14 17:29:08 +0000 UTC |
| 2 | crowdsecurity/community-blocklist | update : +15000/-0 IPs | | | ban:6 | 2022-12-14 15:27:19 +0000 UTC |
| 1 | crowdsecurity/community-blocklist | update : +15000/-0 IPs | | | ban:12071 | 2022-12-14 13:24:21 +0000 UTC |
+----+-----------------------------------+------------------------+---------+----+-----------+-------------------------------+