cscli parsers install crowdsecurity/iptables-logsA parser for iptables -j LOG logs :
IN=ACCEPTTCP and UDP packets are considered as DROPs.icmp_typeicmp_codeTo make this parser relevant, you should have a iptables -A INPUT -m state --state NEW -j LOG or similar into your configuration. This one will log all new connections, successful or not.
1onsuccess: next_stage2#debug: true3filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IN=' and not (evt.Parsed.message contains 'ACCEPT')"4name: crowdsecurity/iptables-logs5description: "Parse iptables drop logs"6statics:7 - parsed: unused #this is never used setting to random var8 expression: ParseKV(evt.Parsed.message, evt.Unmarshaled, "iptables")9 - meta: service10 expression: Lower(evt.Unmarshaled.iptables.PROTO)11 - meta: log_type12 expression: |13 evt.Meta.log_type != "" ? evt.Meta.log_type : evt.Meta.service in ["tcp", "udp"] && evt.Unmarshaled.iptables.OUT == "" ? "iptables_drop" : ""14 - meta: icmp_type15 expression: evt.Unmarshaled.iptables.TYPE16 - meta: icmp_code17 expression: evt.Unmarshaled.iptables.CODE18 - meta: source_ip19 expression: "evt.Unmarshaled.iptables.SRC"20## For backporting reason all previous variables will be reparsed out to the parsed object21 - parsed: dst_port22 expression: evt.Unmarshaled.iptables.DPT23 - parsed: int_eth24 expression: evt.Unmarshaled.iptables.IN25 - parsed: src_ip26 expression: evt.Unmarshaled.iptables.SRC27 - parsed: dst_ip28 expression: evt.Unmarshaled.iptables.DST29 - parsed: length30 expression: evt.Unmarshaled.iptables.LEN31 - parsed: proto32 expression: evt.Unmarshaled.iptables.PROTO33 - parsed: src_port34 expression: evt.Unmarshaled.iptables.SPT35