cscli parsers install crowdsecurity/wireguard-logsIn order for CrowdSec to detect attacks on Wireguard it needs logs and since Wireguard by default logs close to nothing we need to enable Wireguard's dyndbg logging which sends log messages to the Linux kernel message buffer, kmsg.
These will be picked up by your Linux distro's syslog service (at least on Debian, probably also on most others) and logged in /var/kern.log. On other distros they will be logged to /var/log/messages.
To enable Wireguard's dyndbg logging:
$ sudo modprobe wireguard
$ echo module wireguard +p | sudo tee /sys/kernel/debug/dynamic_debug/controlMore details on what we're looking for, why and other ways to do logging on Wireguard, please go to: https://www.procustodibus.com/blog/2021/03/wireguard-logs/
1filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'wireguard:'"2#debug: true3onsuccess: next_stage4name: crowdsecurity/wireguard-logs5description: "Parses wireguard log via dyndbg"6pattern_syntax:7 WIREGUARD_INVALID_HANDSHAKE: 'wireguard: wg%{INT}: Packet has unallowed src IP \(%{IP}\) from peer %{INT} \(%{IP:source_ip}:%{INT}\)'8 WIREGUARD_UNAUTHORIZED_PACKET: 'wireguard: wg%{INT}: Invalid handshake initiation from %{IP:source_ip}:%{INT}'9nodes:10 - grok:11 name: "WIREGUARD_INVALID_HANDSHAKE"12 apply_on: message13 statics:14 - meta: log_type15 value: wireguard_failed_auth16 - meta: log_subtype17 value: wireguard_invalid_handshake18 - grok:19 name: "WIREGUARD_UNAUTHORIZED_PACKET"20 apply_on: message21 statics:22 - meta: log_type23 value: wireguard_failed_auth24 - meta: log_subtype25 value: wireguard_unauthorized_packet2627statics:28 - meta: service29 value: wireguard30 - meta: source_ip31 expression: "evt.Parsed.source_ip"