As part of my metrics collection i would like to collect (potentially through an already available prometheus package) the occurrence of a dropped connection. Ideally i would like to fetch the IP that got dropped, the timestamp and the nft rule related to that.
Could you please guide me in the right direction? Do i have to enable nft logging for a specific rule? Would a prometheus-node-exporter be sufficient?
Please define dropped connection....
Dropped by nftables based on rules or unexpected drop/termination of a connection because of i.e. TCP reset?
I'm not quiet sure what kind of info you are looking for.
dropped by nftables rules, in my case i have crowdsec bouncer acting on nftables and i can see it has added the crowdsec table with the related ip and rules for input and forward
if crowdsec does not log then you can add nftrace before passing packet to crowdsec queues and match entry and exit messages to determine userspace verdict. Logging and metrics are different things.
crowdsec is only catching attacks from logs of nginx (and cloud ips) and the openwrt firewall bouncer is adding the rules. If a malicious IPs try the connection it will not pass the firewall at all hence crowdsec wont see anything. That’s why i need to parse openwrt drop entries
So add a "counter" or "log" before that "drop". little to do with crowdsec.
In my first post I didn't even mention it. I have no doubt that it is purely an openwrt thing. The question is once the content is present in the log is there an exporter for example the Prometheus one which already provides the metrics or shall I parse them myself? Is the netstat exporter the right candidate?
You can use named counters and parse only those.
An NFT logging rule just before the last wan input rule should give all want you want. Place it in etc/nft.d/customs.rules That paired with rsyslog or syslog-ng to forward all coincidences to a file for further processing. I did it myself time ago, it is easily doable with OW
All answers are wrong here, IP does not know he wants events or json metrics.