# OpenWrt Firewall Logs Acquisition
# This configuration monitors iptables/nftables firewall logs
#
# Required collections:
#   cscli collections install crowdsecurity/iptables
#
# The crowdsecurity/iptables collection provides:
#   - crowdsecurity/iptables-logs parser (for -j LOG entries)
#   - crowdsecurity/iptables-scan-multi_ports scenario (port scan detection)
#
# To enable firewall logging in OpenWrt, add LOG rules to your firewall config:
#
# For nftables (OpenWrt 22.03+):
#   nft add rule inet fw4 input counter log prefix "fw4-INPUT: " drop
#
# For iptables (legacy):
#   iptables -A INPUT -j LOG --log-prefix "iptables-INPUT: "
#
# Or via /etc/config/firewall:
#   config rule
#       option name 'Log-Dropped'
#       option src 'wan'
#       option dest '*'
#       option proto 'all'
#       option target 'LOG'
#       option log_prefix 'fw-DROP: '
#
# Firewall logs are typically written to kernel log (kern.log)
# or syslog depending on system configuration.

# Kernel/firewall log file acquisition
filenames:
  - /var/log/kern.log
  - /var/log/firewall.log
labels:
  type: syslog
---
# Alternative: If firewall logs go to main syslog
# The openwrt-syslog.yaml acquisition will capture them
# as long as the iptables collection parser is installed