Docker based log parser not connecting to Opnsense running LAPI
I am working on setting up crowdsec on my second network and im running into issues getting another machine connected to the LAPI running on opnsense.
My opnsense crowdsec config can be see in the attached picture as well as the firewall rule on the LAN interface that allows the docker machine (an unraidbox) to connect to port 8080 on the router.
When running the
sudo cscli lapi register -u http://192.168.20.1:8080 command on my crowdsec docker it says its successful and saves the creds into local_api_credentials.yaml. I then stopped the docker and edit config.yaml in the docker server and disable the server api. On the Opnsense lapi i validate the machine. now whenever trying to start the crowdsec docker it will not start successfully. It gets stuck in a loop of crashing over and over. This can be found in the logs:
It is repeated over and over.
I have verified using curl that the docker server is able to connect to the opnsense box over 8080. There is also nothing being blocked in the opnsense firewall logs from either machine. Running cscli machines list shows that the creds generated havent been used even once. I have also attached a censored screenshot of the local creds file on the docker server and you can see the machine ids match lapi. I have also verified the client creds path matches the file with the info on the docker server.
I played with this for a couple hours yesterday and Im at a loss of what to try next
7 Replies
I've tried to increase the verbosity of the logging but it doesnt seem to make a difference in what is outputted in the container logs. (when the lapi is enabled it does have debug output but then it starts up correctly)
Its also worth adding when the crowdsec container is in this state it doesnt even try to send any packets to the lapi on opnsense. (according to firewall logs anyway)
My current theory is that something is broken in the docker image for crowdsec as turning off the lapi without any additional configuration yields basically the same results. (crowdsecurity/crowdsec:latest)
Please let me know if any additional info would be helpful or if anything isn't clear
@iiamloz Do you have any incite on this?
So connecting a external docker to a LAPI currently sucks, you have to define everything as environment variables
you need
to get username and password either run
cscli lapi register then grab it from the local_api_credentials.yaml before a restart or on the lapi run cscli machines add -f- --auto then copy the output.Thanks for the help! I noticed it wiped out local_api_credentials.yaml on a restart so i had been saving it locally and turning off lapi before restarting it.
I will try this out sometime this weekend
It worked!
Was that something I missed in the documentation? I'd assume theres not many people trying to do this?
Its kind off is, but I need to find time to have a "how to connect to external LAPI" section cause it relies on you reading the env section and understand that you need to do it
https://docs.crowdsec.net/u/getting_started/installation/docker#environment-variables
Docker | CrowdSec
Prerequisites are written for bare metal installations. Please keep in mind the containerization layer may make some of these items unnecessary.
Gotcha. That explains it, I didn’t realize it was required for agent only mode when running in docker.
Thanks for the support as always