Custom scenario not triggering neither alert nor decision
Hello !
I installed Crowdsec with helm on my Google Kubernetes Cluster with this chart version : 0.14.1
I also deployed my custom parser, custom scenario (named
crowdsecurity/compte_xxx_login_error) and custom profile....[appsec] - misleading error log
Hello,
crowdsec version: 1.6.5~rc4
crowdsec-openresty-bouncer: 1.0.2
...
Crowdsec docker - alert notifications to STDOUT
Hello,
I want to use filebeats docker input to ingest alerts from crowdsec. Is there anyway i can redirect alert notifications to stdout?
https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-input-docker.html...
Tracking nginx host not being banned
I’m trying too figure out why host 62 isn’t banning from failed login attempts this host does not fall under my Authentik. Here is the acquisition metrics
Chaining bouncer inside access_by_lua_block
Hi everyone! I'm setting up an OpenResty bouncer but I need it chain it before a different module (which is a custom DDoS protection script) so that the module that follows after the bouncer is the final one that completes the request. My
access_by_lua_block is roughly as follows:
```lua
-- snip
local bouncer = require "lua/bouncer"...Active bans with Prometheus
Hi, I have set up crowdsec with Prometheus metrics and it is working fine.
I am trying to understand how to monitor active bans using the exposed Prometheus metrics.
From what I understand, I can use
cs_active_decisions which shows a gauge per scenario and cs_alerts which also is a gauge of the number of alerts (excluding CAPI). But I don't understand the values of these gauges, what do they represent ?
For example, I have this metrics exposed cs_active_decisions{action="ban",origin="CAPI",reason="crowdsecurity/http-admin-interface-probing"} 320 but using cscli decisions list there are only two bans actives for this scenario. How to interpret the number 320 ?
Thanks for your help !...appsec ip
maybe im confued but what does the ip for appsec need to be? i keep getting bind errors... im on unraid but localhost:port doesnt seem to work?
Injection of a banned IPv4
Hello,
We have more than 100,000 IPv4s in a list that we want to ban. At the moment I'm running a python script but it's very time-consuming. Is there any other way of injecting?
Script python made in chatgpt :...
CrowdSec Mikrotik Bouncer fails to add banned ip to address list
it mainly works but but every few hours some banned address is not added to address list, until I manually reboot the docker container, then it appears. What could be the culprit?
here's an example of failed add: the event was not logged at all in the mikrotik container, here's an extraction at ban's time
`crowdsec_mikrotik | {"level":"info","time":"2025-01-20T13:00:31Z","message":"removed decisions: IP: 164.163.25.225 | Scenario: crowdsecurity/netgear_rce | Duration: -11s | Scope : Ip"}...
"No matching files for pattern /services/traefik/traefik.log" altough file exists
Hello guys, I'm getting the following error message from
But the file exists....
crowded.service:
No matching files for pattern /services/traefik/traefik.log
No matching files for pattern /services/traefik/traefik.log
Where to put the `.yaml.local` files?
According to the docs: https://docs.crowdsec.net/docs/configuration/crowdsec_configuration#configuration-files-that-support-yamllocal
you are able to create files which will overwrite the entries of the original config file but where do I have to put those
.yaml.local files?
Inside the config_dir directory which is set in config_paths?
I'm specifically asking for the bouncers/crowdsec-firewall-bouncer.yaml....Keep bouncer API as a secret?
This may sound dumb, but does the API key of a bouncer has to be kept private or is it fine if it can be public seen?
My LAPI and the bouncers are running on the same host...
crowdsec init: while loading acquisition config: no datasource enabled
I currently have only one file in my
acquis.d:
```yaml
source: journalctl
journalctl_filter:
- "-k"...FATA can't find 'crowdsecurity/linux' in collections
Hello guys, I'm getting the following error message after executing
```...
cscli collections install crowdsecurity/linux
cscli collections install crowdsecurity/linux
Newbie: How to use CrowdSec
Hello guys! I've just heard about CrowdSec for about a day now and I'm interested in adding it to my homelab.
However, I'm overwhelmed by the website since it looks liek as if there are crazy amount of ways how to setup crowdsec.
I have a VPS so I'm using ssh and I also use traefik.
What would you recommend to do to include CrowdSec to this setup? I want CrowdSec to listen to my system ports but also to the the traefik traffic (if possible?)....
Appsec + Traefik = 403
Hey,
I'm running crowdsec bare metal with tls authentication and wanted to use appsec with traefik. I configured the traefik bouncer according to the docs but when I enable Appsec the site only responds with 403 error messeges. With appsec disabled all works fine. The bouncer is registered in the remote lapi.
I'm running ubuntu 24.04 and the latest traefik docker version. I tried to disable any single option from the appsec dyamic config without success and also tried with api-key authentication.
I don't see any errors in the logs from either crowdsec or traefik. It just doesnt work when I enable appsec....
Wireguard TLS client not connecting
Hey, I'm trying to get my hetzner wireguard vps working with crowdsec.
I followed the TLS guide with cfssl from your website and that's working great in my local network so far. I made an unbound DNS overwrite to "security.localdomain" which includes my local crowdsec ip (192.168...) and the wireguard ip (10.0.0.3) in opnsense, installed all ecdsa521-certificates for the bouncer and agent. Worked more or less flawlessly except with my wireguard connected server.
I added the security.localdomain in the /etc/hosts file of the VPS and installed the ca-intermediate cert in /etc/ssl/certs IIRC and I'm able to ping the domain with correct WG IP address, but the lapi still refuses any connection. It worked without any TLS certficiates.
ping security.localdomain or ping 10.0.0.3 are all connecting and wg is up and running....
Get no Heartbeat from Home Assistant Crowdsec AddOn
Hey there, I installed the Crowdsec AddOn on my Home Assistant Server. The server is a Raspberry Pi with the Home Assistant OS.
I disabled the LAPI via the GUI and registered the Home Assistant instance by the following commands. The commands were executed via the Crowdsec Terminal on the GUI.
```
sudo cscli lapi register -u http://192.168.1.1:8080...