> ## Documentation Index > Fetch the complete documentation index at: https://docs.onefirewall.com/llms.txt > Use this file to discover all available pages before exploring further. # HAProxy MITRE ATT&CK > Forward HAProxy traffic logs to OneFirewall through Fluent Bit for MITRE ATT&CK pattern detection and IPS reporting This guide explains how to configure HAProxy and the OneFirewall Fluent Bit adapter to collect HTTP traffic logs, forward them to OneFirewall, and enable pattern detection aligned with MITRE ATT\&CK techniques. ## Overview The integration uses HAProxy as the ingress point and Fluent Bit as the log collection and forwarding layer. * HAProxy emits structured access logs with the `HAPROXY_LOG` prefix. * Fluent Bit receives HAProxy syslog events over UDP. * The OneFirewall Fluent Bit adapter parses the records using `catchall_parser`. * OneFirewall analyzes the traffic for malicious behavior and pattern detection mapped to MITRE ATT\&CK. * Optional IPS reporting can send suspicious IP intelligence back to the OneFirewall cloud. ## 1. HAProxy Logging Configuration Update the `global` section of your `haproxy.cfg` to send logs both to stdout and to the Fluent Bit adapter over UDP. ```cfg theme={null} global log stdout format raw local0 log 172.17.0.1:31514 local0 ``` The UDP destination must match the host and port exposed by the Fluent Bit adapter. In the Docker Compose example below, Fluent Bit listens on `172.17.0.1:31514` and forwards UDP traffic to container port `514`. ## 2. HAProxy Frontend Configuration In the HAProxy frontend, capture the relevant request headers and define a log format that the OneFirewall Fluent Bit adapter can parse. ```cfg theme={null} frontend balancer bind :80 bind *:443 ssl crt /certs/ingress-ofa.pem timeout http-keep-alive 10s capture request header x-forwarded-for len 200 capture request header Host len 64 capture request header Cf-Pseudo-IPv4 len 64 http-request deny if { hdr_ip(X-Forwarded-For) -f /ofa/ofa.csv } http-request set-var(txn.xff) req.hdr_ip(X-Forwarded-For,1) acl xff_private var(txn.xff) -m ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 127.0.0.0/8 http-request set-log-level silent if xff_private || !{ var(txn.xff) -m found } log-format "HAPROXY_LOG %[var(txn.xff)] %ci %cp %fp %H \"%r\" %ST" ``` The last two directives are required for OneFirewall pattern detection: * `http-request set-var(txn.xff) hdr(X-Forwarded-For)` stores the original client IP from the `X-Forwarded-For` header. * `log-format "HAPROXY_LOG ..."` emits a predictable log structure containing the original IP, connection metadata, HTTP protocol, raw request, and status code. The resulting log fields are: | Field | Description | | ----------------- | ----------------------------------------- | | `HAPROXY_LOG` | Static prefix used by the parser | | `%[var(txn.xff)]` | Original client IP from `X-Forwarded-For` | | `%ci` | HAProxy client IP | | `%cp` | Client source port | | `%fp` | Frontend destination port | | `%H` | HTTP protocol version | | `%r` | Full HTTP request line | | `%ST` | HTTP response status code | ## 3. OneFirewall Fluent Bit Adapter Add the OneFirewall Fluent Bit adapter to your Docker Compose stack. ```yaml theme={null} onefirewall-fluentbit-adapter: image: registry.onefirewall.com/onefirewall-fluentbit-adapter:v2 environment: FIREWALL_PARSER: "catchall_parser" LOG_LEVEL: "info" # debug, info, warn, error ENABLE_STDOUT: "*_ofa_logs" DEBUG_LUA: "false" FLUSH_INTERVAL_SECONDS: "5" # 5 seconds OFA_EVENTS_FLUSH_INTERVAL: "5" OFA_POLL_INTERVAL_HOURS: "1" OFA_JWT_TOKEN: "TOKEN_OFA" OFA_API_URL: "https://app.onefirewall.com or http[s]://localhost:PORT" OFA_MIN_SCORE_TO_LOG: "2" OFA_LAST_EVENTS: "2000000" OFA_MEMBER_ID: "OFA-GID-" OFA_API_URL_CLOUD: "https://app.onefirewall.com" OFA_JWT_TOKEN_CLOUD: "OFA_TOKEN_FOR_IPS_REPORT" OFA_AGENT: "haproxy_waf" OFA_AGENT_LID: "report_xxxxx" OFA_AGENT_TAGS: "report_xxxxx" OFA_CONTRIBUTE: "0" OFA_IPS_FLUSH_INTERVAL: "300" # 5 minutes OFA_IPS_LIMIT: "1000" OFA_IPS_WORDS: "ofa_warning" # lowercase, comma-separated values OFA_IPS_PORTS: "443" SEND_TRAFFIC: "yes" ENABLE_ELASTIC_OUTPUT: "*_ofa_logs_OFF" ELASTIC_IP: "192.168.2.100" ELASTIC_PORT: "39220" ELASTIC_INDEX: "poc_traffic" ports: - "172.17.0.1:31514:514/udp" ``` For `OFA_API_URL`, provide only the protocol, host, and optional port, for example `https://app.onefirewall.com` or `http://localhost:8080`. Do not include the API path; the adapter resolves the required endpoint automatically. ## 4. Environment Variables | Variable | Purpose | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | `FIREWALL_PARSER` | Selects the parser used by the adapter. Use `catchall_parser` for this HAProxy log format. | | `OFA_JWT_TOKEN` | Token used to authenticate with the target OneFirewall API. | | `OFA_API_URL` | OneFirewall API base URL cloud or local installation for clients. Use only protocol, host, and optional port. | | `OFA_MIN_SCORE_TO_LOG` | Minimum score required before events are logged by the adapter. | | `OFA_MEMBER_ID` | OneFirewall member identifier, used when sending data directly to Elasticsearch. | | `OFA_API_URL_CLOUD` | OneFirewall cloud URL used for IPS partner reporting, or local client installation if partner contribute or not to the OneFirewall Alliance | | `OFA_JWT_TOKEN_CLOUD` | Token used for IPS report submission to the OneFirewall cloud. | | `OFA_AGENT` | Agent type reported to OneFirewall. For HAProxy WAF deployments, use `haproxy_waf`. | | `OFA_AGENT_LID` | Local identifier for this reporting agent. | | `OFA_AGENT_TAGS` | Tags associated with the generated reports. | | `OFA_CONTRIBUTE` | Enables or disables contribution mode. Use `0` to disable contribution. | | `OFA_IPS_FLUSH_INTERVAL` | Interval, in seconds, used to flush IPS reports. | | `OFA_IPS_LIMIT` | Maximum number of IPS items sent per flush. | | `OFA_IPS_WORDS` | Keywords used to select IPS events. Values must be lowercase and comma-separated. | | `OFA_IPS_PORTS` | Ports associated with IPS reporting. | | `SEND_TRAFFIC` | Enables traffic forwarding to OneFirewall when set to `yes`. | | `ENABLE_ELASTIC_OUTPUT` | Enables or disables Elasticsearch output routing. | | `ELASTIC_IP`, `ELASTIC_PORT`, `ELASTIC_INDEX` | Elasticsearch destination settings when direct Elasticsearch output is enabled. | ## 5. MITRE ATT\&CK Pattern Detection Flow With this configuration, HAProxy provides enough context for OneFirewall to analyze web traffic and detect suspicious patterns. ```mermaid theme={null} flowchart LR Client[Client / Attacker] --> HAProxy[HAProxy Ingress] HAProxy -->|UDP syslog: HAPROXY_LOG| FluentBit[OneFirewall Fluent Bit Adapter] FluentBit -->|Parsed traffic events| OFA[OneFirewall] OFA --> Detection[MITRE ATT&CK Pattern Detection] Detection --> Reports[Events, IPS Reports, Optional Elasticsearch] ``` The `HAPROXY_LOG` records allow OneFirewall to evaluate request behavior such as suspicious paths, attack tooling, anomalous source IPs, abusive request patterns, and other indicators associated with MITRE ATT\&CK techniques. ## 6. Validation Checklist After deploying the configuration, verify the following: * HAProxy starts successfully with the updated `global` and `frontend` configuration. * UDP port `31514` is bound on `172.17.0.1` by the Fluent Bit adapter. * HAProxy logs contain the `HAPROXY_LOG` prefix. * The Fluent Bit adapter logs show parsed records matching `*_ofa_logs`. * OneFirewall receives traffic events from the `haproxy_waf` agent. * IPS reporting is enabled only when `OFA_API_URL_CLOUD` and `OFA_JWT_TOKEN_CLOUD` are configured with valid cloud credentials. ## Result Once enabled, HAProxy continues to serve traffic while producing structured logs for OneFirewall. The Fluent Bit adapter forwards those events for MITRE ATT\&CK pattern detection, optional IPS reporting, and optional Elasticsearch output depending on the configured environment variables.