Crowdsec support

[ConGp20]

would be nice, if there was a crowdsec parser plugin

[cowarol]

that would be nice

[jyvern]

+1 🙂

[heliax01]

+1 🙂

[Recentiv]

+1 🙂

[king8084]

pls....

[barcelona92]

+1

[KoenVanduffel]

Just switched from NPM today. Really impressed!
Crowdsec would definitely make Zoraxy a more complete product.

[Raithmir]

I've been testing this for the last couple of days and have log parsing working in Crowdsec.

You'll need to install Crowdsec, the relevant firewall bouncer, and the base HTTP scenarios...

cscli collections install crowdsecurity/base-http-scenarios

Then you'll need to create an acquisition file (/etc/crowdsec/acquis.d/zoraxy.yaml) to point to your log file location...

filenames:
  - "/opt/zoraxy/log/zr_*.log"
labels:
  type: "zoraxy"

Finally create the parser file (/etc/crowdsec/parsers/s01-parse/zoraxy-logs.yaml)...

name: raithmir/zoraxy-logs
description: "Parse Zoraxy logs"
filter: "evt.Parsed.program == 'zoraxy'"
onsuccess: next_stage
#debug: true

nodes:
 - grok:
     pattern: '\[%{TIMESTAMP_ISO8601:time_stamp}\] \[router:(?:host-http|whitelist|blacklist|subdomain-http|host-websocket|vdir-http|vdir-websocket|redirect)\] \[origin:%{IPORHOST:target_server}?\] \[client %{IPORHOST:remote_addr}\] %{WORD:verb} %{DATA:request} %{NUMBER:status}'
     apply_on: message
     statics:
       - meta: log_type
         value: http_access-log
       - target: evt.StrTime
         expression: evt.Parsed.time_stamp

statics:
   - meta: service
     value: http
   - meta: source_ip
     expression: evt.Parsed.remote_addr
   - meta: http_status
     expression: evt.Parsed.status
   - meta: http_path
     expression: evt.Parsed.request
   - meta: http_verb
     expression: evt.Parsed.verb
   - meta: target_server
     expression: evt.Parsed.target_server

I've submitted a pull request to Crowdsec. Hopefully it will be approved, and you should then be able to just install the collection with the following. This would then install the latest base-http-scenarios and zoraxy-logs parser, leaving you to just set up the acquisition file.

cscli collections install raithmir/zoraxy-logs

[KoenVanduffel]

I installed your parser, will report back results when they come in.

[Raithmir]

It would be useful if we could get the HTTP user-agent included in the logs, that can be further filtered in the Crowdsec base-http-scenarios. I might have a look at the logging code and submit a pull request if I get chance. I'm not familiar with Go though.

Looks like r.UserAgent() is already captured for the Statistical Analysis view, so presuming it would be easy enough to add to the logs.

[Raithmir]

Also, I've not tested this as I'm not running in Docker, but the following may work for the acquisition file if you are (/etc/crowdsec/acquis.d/zoraxy.yaml)...

source: docker
container_name:
  - zoraxy
labels:
  type: zoraxy

[LaurenceJJones]

Yes this will work as long as the logs are written to the container stdout,

[Raithmir]

Updated parser file (/etc/crowdsec/parsers/s01-parse/zoraxy-logs.yaml) if you're running the v3.2.0 pre-release (which adds in the useragent in the logs).

#
name: raithmir/zoraxy-logs
description: "Parse Zoraxy logs"
filter: "evt.Parsed.program == 'zoraxy'"
onsuccess: next_stage
#debug: true

nodes:
 - grok:
     pattern: '\[%{TIMESTAMP_ISO8601:time_stamp}\] \[router:(?:host-http|whitelist|blacklist|subdomain-http|host-websocket|vdir-http|vdir-websocket|redirect)\] \[origin:%{IPORHOST:target_server}?\] \[client: %{IPORHOST:remote_addr}\] \[useragent: %{DATA:http_user_agent}\] %{WORD:verb} %{DATA:request} %{NUMBER:status}'
     apply_on: message
     statics:
       - meta: log_type
         value: http_access-log
       - target: evt.StrTime
         expression: evt.Parsed.time_stamp

statics:
   - meta: service
     value: http
   - meta: source_ip
     expression: evt.Parsed.remote_addr
   - meta: http_status
     expression: evt.Parsed.status
   - meta: http_path
     expression: evt.Parsed.request
   - meta: http_verb
     expression: evt.Parsed.verb
   - meta: http_user_agent
     expression: "evt.Parsed.http_user_agent"
   - meta: target_server
     expression: evt.Parsed.target_server

[Tschaeeens]

Hello, thank you very much for the instructions. One question is how to install the crowdsec bouncer. Use zoraxy as Docker on unraid. I also have a crowdsec docker running. I'm just wondering whether I still need the bouncer.

[Raithmir]

Updated parser file (/etc/crowdsec/parsers/s01-parse/zoraxy-logs.yaml) to include [router:root-no_resp] log entries where Zoraxy blocks requests for unknown hosts. The pull request to add this to a new Crowdsec hub collection is still awaiting review over there.

#
name: raithmir/zoraxy-logs
description: "Parse Zoraxy logs"
filter: "evt.Parsed.program == 'zoraxy'"
onsuccess: next_stage
#debug: true

nodes:
 - grok:
     pattern: '\[%{TIMESTAMP_ISO8601:time_stamp}\] \[router:(?:host-http|whitelist|blacklist|subdomain-http|host-websocket|vdir-http|vdir-websocket|redirect|root-no_resp)\] \[origin:%{IPORHOST:target_server}?\] \[client: %{IPORHOST:>
     apply_on: message
     statics:
       - meta: log_type
         value: http_access-log
       - target: evt.StrTime
         expression: evt.Parsed.time_stamp
statics:
   - meta: service
     value: http
   - meta: source_ip
     expression: evt.Parsed.remote_addr
   - meta: http_status
     expression: evt.Parsed.status
   - meta: http_path
     expression: evt.Parsed.request
   - meta: http_verb
     expression: evt.Parsed.verb
   - meta: http_user_agent
     expression: evt.Parsed.http_user_agent
   - meta: target_server
     expression: evt.Parsed.target_server

[LaurenceJJones]

Merged @Raithmir collection for Zoraxy please find the collection via https://app.crowdsec.net/hub/author/Raithmir/collections/zoraxy

note parser supports version 3.2.0 and higher only due to useragent being added, let us know and we can probably make the useragent optional until GA

[Raithmir]

• Install CrowdSec - https://app.crowdsec.net/security-engines/setup?distribution=linux

• Install relevant firewall bouncer (iptables or nftables) - https://docs.crowdsec.net/u/bouncers/firewall/

• Install Zoraxy collection - cscli collections install raithmir/zoraxy-logs

• Create an acquisition file (/etc/crowdsec/acquis.d/zoraxy.yaml) to point to your log file location...

filenames:
  - "/opt/zoraxy/log/zr_*.log"
labels:
  type: "zoraxy"

Or if you've installed Zoraxy via Docker...

source: docker
container_name:
  - zoraxy
labels:
  type: zoraxy

• Finally don't forget to enroll the agent in the crowdsec console. You have a command in there when you're logged in similar to...

sudo cscli console enroll -e context cl8ft6asz11111jmrrrppapye

[Sph1nX-GER]

thanks @Raithmir it now works, before it didn't, but thats because my Zoraxy instance was too old.
I updated to 3.2.4 and now it has the needed UserAgent in the logs and I see the Logs are getting parsed correctly by Crowdsec =)

cscli parsers inspect Raithmir/zoraxy-logs
type: parsers
stage: s01-parse
name: Raithmir/zoraxy-logs
file_name: zoraxy-logs.yaml
description: Parse Zoraxy logs
path: parsers/s01-parse/Raithmir/zoraxy-logs.yaml
version: "0.1"
dependencies: {}
local_path: /etc/crowdsec/parsers/s01-parse/zoraxy-logs.yaml
local_version: "0.1"
local_hash: xxx
downloadpath: /etc/crowdsec/hub/parsers/s01-parse/Raithmir/zoraxy-logs.yaml
up_to_date: true
tainted: false
belongs_to_collections:

• Raithmir/zoraxy
  installed: true
  local: false

Current metrics:
╭───────────────────────────────────────────────────────────────╮
│ (Parser) Raithmir/zoraxy-logs │
├────────────────────────────────────┬──────┬────────┬──────────┤
│ Parsers │ Hits │ Parsed │ Unparsed │
├────────────────────────────────────┼──────┼────────┼──────────┤
│ file:/opt/zoraxy/log/zr_2025-7.log │ 5705 │ 1795 │ 3910 │
╰────────────────────────────────────┴──────┴────────┴──────────╯

[AnthonyMichaelTDM]

Shameless plug, but I've been working for the past couple days on creating a dynamic capture plugin to act as a crowdsec bouncer for zoraxy, and it's finally in a working state.
It's very much a work in progress, so I can't guarantee stability, but I'm using it on my server.

Here's a link to the GitHub repo https://github.com/AnthonyMichaelTDM/zoraxy_crowdsec_bouncer/tree/main, and see #738 (comment) for a discussion of the current caveats/limitations

[king8084]

Shameless plug, but I've been working for the past couple days on creating a dynamic capture plugin to act as a crowdsec bouncer for zoraxy, and it's finally in a working state. It's very much a work in progress, so I can't guarantee stability, but I'm using it on my server.

Here's a link to the GitHub repo https://github.com/AnthonyMichaelTDM/zoraxy_crowdsec_bouncer/tree/main, and see #738 (comment) for a discussion of the current caveats/limitations

Is this enough? Or i need to install crowdsrc as well seoerately?

[EthicalPrivaSecretarium]

I have the following configured, will work as well, right?

filenames:
  - /var/log/zoraxy/*
labels:
  type: zoraxy

[EthicalPrivaSecretarium]

I can see the good thing level=info msg="Adding file /var/log/zoraxy/zr_2025-10.log to datasources" type=file

[EthicalPrivaSecretarium]

Have installed in TrueNAS so I had to modify the IP and port lines to fit TrueNAS's requirement for dedicated IP

services:
  zoraxy:
    image: zoraxydocker/zoraxy:latest
    container_name: zoraxy
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - host_ip: x.x.x.x
        mode: ingress
        protocol: tcp
        published: 80
        target: 80
      - host_ip: x.x.x.x
        mode: ingress
        protocol: tcp
        published: 443
        target: 443
      - host_ip: x.x.x.x
        mode: ingress
        protocol: tcp
        published: 8000
        target: 8000
    volumes:
      - ./config/:/opt/zoraxy/config/
      - ./plugin/:/opt/zoraxy/plugin/
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
      FASTGEOIP: "true"
      DOCKER: "true"

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: zoraxy-crowdsec
    environment:
      GID: "${GID-1000}"
      COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
    volumes:
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - ./crowdsec/db:/var/lib/crowdsec/data/
      - ./crowdsec/config:/etc/crowdsec/
      - ./config/log:/var/log/zoraxy/:ro
    networks:
      - proxy
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
networks:
  proxy:
    external: true

Using this plugin for Zoraxy: https://github.com/AnthonyMichaelTDM/zoraxy_crowdsec_bouncer/tree/main

All are configured and working properly except when I use cscli decisions add --ip to ban my IP for a test, I can still access to services.

Now I get [plugin-manager] [system:info] [Crowdsec Bouncer Plugin for Zoraxy:41] time="2025-10-06T21:29:35+02:00" level=warning msg="Signal handler received an error: interrupt error: SIGTERM"

[EthicalPrivaSecretarium]

Okii! There is only "Cloud" on the drop down list.

[EthicalPrivaSecretarium]

Finally seeing some numbers.

Gosh I took 12 hours to troubleshoot. >24 hours ago I begun installing Zoraxy

[EthicalPrivaSecretarium]

And now, I could ban myself😌

[EthicalPrivaSecretarium]

After I added the collection for Zoraxy, I got banned automatically by some rules that I was accessing my Nextcloud.

Which is so darn good!

Yeah I whitelisted the IP to never ban myself.

[kabelsalatundklartext]

Nachdem ich die Sammlung für Zoraxy hinzugefügt hatte, wurde ich automatisch durch einige Regeln gesperrt, dass ich auf meine Nextcloud zugriff.

Das ist so verdammt gut!

Ja, ich habe die IP auf die Whitelist gesetzt, um mich nie selbst zu sperren.

Hello, you mentioned that it took you a bit of time to get it running?

I’m using Unraid myself and have Zoraxy running as a Docker container, but somehow CrowdSec doesn’t communicate with the plugin – and vice versa.