The important part is to make a new file to get Crowdsec to parse the log file you want it to parse. You can make a new one but will have to manage the ācustom.yamlā file in a way that might not make sense, but since it gets copied over, is necessary.
Thanks for the reply. I did a similar approach but with fast.logs enabled. The things is that I populated the costom.yaml only with the fast.logs config and the eve.json
I am not shure if I need to be 1 on 1 copy like the suricata.yaml file.
I tried first to copy and have the exact same content in both but after doing this, the machine started to run out of memory super fast and eventually when swap was also full it restarted. I donāt know why or which approach is better.
Currently the setup is working and the fast.log get populated with events and the flow is working ok but since I only have this part of the config in custom.yaml I donāt know if everything is working ok or not.
Some of the duplicated/parse error comes from Suricata not being Snort, as some rules are written for Snort and cannot be parsed by Suricata. There are other issues possibly, but those are much more in the space of what is actually performing your rule update cycle.
Are you using āsuricata-updateā or are you using Suricata as installed in an OPNSense and their Policy method of rule updates and modifications, or another rule management environment all together?
Thank you for the config, much appreciated. I pasted your config and seems to be working. Regarding the duplicate and parsing errors, I solved that. There are still the flow bit errors that I see in the logs.
I am using Suricata directly as it comes with the OPNSense install.
Possible issue about the custom.yaml file on the OPNSense!! By default on an update of Suricata or a full suricata.service restart, the OS/Distro will copy (but not really copy, there is some parsing/modification involved) the custom.yaml from the template area of the OPNSense and replace what is located at /usr/local/etc/suricata/custom.yaml and this is more or less undesirable as your modifications will disappear. If you try to edit the file at the template folder - it will break the service all together.
In the following how-to, thereās a lot covered but in one of the steps, but I explain how to make a shell script (which if you copied the suricataupdate.sh script and near removed all the extra would do what you seek) and in another step make new file that stays around and adds selectable Cron entries to the OPNSense Web Management GUI.
Configuring your script with a schedule can let you ākeepā your custom.yaml as desired - by if necessary, copying the correct one over and appropriately restarting Suricata:
^ The full guide does allow you to use āsuricata-updateā instead of OPNSenseās Policy mod/update method and I can say from experience, suricata-update is faster and more thorough.
To keep the ācustom.yamlā file that you want to update in the expected state, a better fix would be to figure out how/why it is getting reset and update the various Git Repos at Github for OPNSense, but I have not had time to get familiar enough with the full underbelly of OPNSense to do that.