metrics not showing in webapp
hey, I just set up crowdsec with traefik and enrolled to the crowdsec webapp. there are no alerts showing up, but
cscli metrics shows some scans etc. does it take some time to show them or did I set up something wrong. not sure. any help is appreciated.
(I tested with manual ip ban rules that crowdsec works)...Docs links broken?
Hello there,
the crowdsec documentation seems to be broken/missing....
I was setting up a redhat 9 server for the first time (I have only used ubuntu for crowdsec so far) I hit an issue that /etc/crowdsec/acquis.d did not exist and crowdsec would not start...
Replay user.yaml file
Hello, I'm looking at the replay guide https://docs.crowdsec.net/u/user_guides/replay_mode/ and it mentions a /etc/crowdsec/user.yaml file, there is a post from 2023 saying that this file (or dev.yaml) aren't part of crowdsec. does the replay page need an edit or details of how to create the user.yaml file in order to replay?
cscli caddy metrics not showing
I have
caddy bouncer running on opnsense (freebsd) with crowdsec plugin. Config appears to be okay, as does parsing. But no metrics regarding caddy bouncer are showing up.
cscli explain of a sample line from caddy's log is attached. s02-enrich detects crowdsecurity/http-crawl-non_statics scenario. But i don't see a corresponding bouncer entry or pf entry blocking this ip. Caddy plugin config has the following global options:
```
"crowdsec": {...Context enhancement?
How does one go about adding information to the default alert object for notification? Specifically, I see the default alert variable includes source information like so
"source": { "ip": "10.10.10.10", "scope": "Ip","value": "10.10.10.10"}. I'd like to add ASName, Latitude, and Longitude to it.
In the http notification, my format at the moment is rather simple { "message": {{.|toJson}} }. I parse appropriate information on receiving end to write up whatever info i need. I'd like the source in message json object itself to include additional information. Help please....Missing notification-file plugin in FreeBSD (OPNSense)
Hello,
I wanted to use the notifications plugin with OPNSense but I got a plugin error when I tested the file (see https://docs.crowdsec.net/docs/next/local_api/notification_plugins/file) .
I've looked a bit deeper and in my /usr/local/lib/crowdsec/plugins there is no notification-file file (the others are existing). So it seems normal that I can't use the plugin.
I've checked the FreeBSD 14 Crowdsec 1.7 package (https://freebsd.pkgs.org/14/freebsd-amd64/crowdsec-1.7.0_1.pkg.html) and I don't see the notification-file plugin in the files tree of package....
Multiple collections in values.yaml
I'm presuming we can install multiple collections in the agent, using the COLLECTIONS env value, but not sure how it should be formatted. I tried passing a comma separated list, but it failed to load any collections at that point. Any ideas?
Gather addresses to ban through standby loadbalancers
Hello, we deploy loadbalancers that share a virtual/floating ip address (vip - using keepalived). When a server does not have the vip all the traffic it gets is from bots that should be banned (they are not using the service address and have found the host by port scanning). I'm wondering how to gather these only when the server does not have the vip.
Docker mailserver logs not compatible with crowdsec
Hi all, I am trying to let crowdsec scan my Docker Mailserver (DMS) logs, both are running in containers.
It seems that Crowdsec parser for dovecot/postfix is expecting syslog formatted timestamps.
DMS is producing ISO8601 format, hence my logfiles are not parsed.
I am not able to enforce DMS to write different logfile format....
API port on 'agent'
Hi,
quick question; is the port on a docker 'agent' install (distributed setup, not the LAPI node) functional? I'm trying to monitor it, but keep getting 'connection refused'...
Invoice recipient
Hi,
I need to add a recipient for the invoice in my company organisation, but the field save recipient remains greyed out.
Could you help me ?
best regards
Nicolas...
haproxy spoa bouncer
HI all, I am trying to use haproxy spoa bouncer but the issue I am seeing is that my webiste is behind cloudflare, I've managed to pass the real IPs to both haproxy logs and down the line to nginx but the bouncer is still only seeing cloudflare's IPs. I've tried a few things using ai unfortunately nothing really helped
My crowdsec.cfg: ```[crowdsec]
spoe-agent crowdsec-agent
messages crowdsec-ip crowdsec-http
option var-prefix crowdsec...
Docker TLS authentication attack protection
I'm securing several Docker environments with TLS certificates (port 2376) and already use CrowdSec to block attacks on application level. Now I want to protect against Docker daemon TLS authentication attacks as well.
Current situation:
- Failed TLS authentication attempts are logged in journalctl -u docker
- No existing parsers or scenarios in CrowdSec Hub for Docker daemon TLS failures...
Zoraxy X Crowdsec Docker setup
Here's my custom compose.yaml to fit TrueNAS
```
services:
zoraxy:...
Question about Caddy & Caddy Bouncer
I'm trying to use https://github.com/hslatman/caddy-crowdsec-bouncer with my caddyfile in order to block malicious IPs, however when I attempted to block my own IP (for testing purposes) I was still able to access the site. Am I doing something wrong?
I also have the caddy logs parser as well https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/caddy-logs and I also added Cloudflares IPs under trusted_proxies and it does show my IP correctly in the caddy log under
X-Forwarded-For so I'm not sure as to why IPs aren't being blocked.
I also ran tail /var/log/caddy/caddy.log | head -n 20 | cscli explain -f- --type caddy -v and it did indicate it was able to parse the log, I can provide a log file of it in DMs if need be...NGINX Bouncer doesn't resolve domain names with DNSSEC enabled
After enabling DNSSEC in Unbound the NGINX Bouncer stopped resolving my LAPI's domain name. DNS is working perfectly fine.
...
2025/10/03 20:30:48 [error] 148448#148448: *21469 [lua] stream.lua:157: stream_query_api(): request to crowdsec lapi https://lapi.example.com/v1/decisions/stream?startup=true failed: lapi.example.com could not be resolved (110: Operation timed out), context: ngx.timer
2025/10/03 20:30:48 [error] 148448#148448: *21469 [lua] stream.lua:157: stream_query_api(): request to crowdsec lapi https://lapi.example.com/v1/decisions/stream?startup=true failed: lapi.example.com could not be resolved (110: Operation timed out), context: ngx.timer
Traffick being blocked unapropriately
I got the same IP that is being banned repeatedly. By reading the context, I can tell that is watching videos through my self hosted instance of piped.
I have configured OpenVPN on a OpenWRT router I did include tun0 on the FW of the WAN interface.
When I visit IP detection websites, it shows the correct IP which is the OpenVPN's server WAN IP. ...
nginx bouncer: attempt to concatenate local 'ip_type' (a nil value)
I just noticed that my NGINX Bouncer has stopped contacting my LAPI for decisions and has stopped bouncing, I re-created the API token for the bouncer just in case it was a weird bug but that didn't fix it. I haven't changed my config in a while so that shouldn't be the issue.
I can see in NGINX's logs the Bouncer quits on startup and then never runs again.
```
2025/10/02 20:47:47 [info] 68873#68873: 1 [lua] crowdsec_nginx.conf:28):5: Initializing stream mode for worker 0, context: init_worker_by_lua...
State of cs-cloud-firewall-bouncer
Hi !
My company is in need of a cloud firewall bouncer that can sync decisions to clouders firewalls. After digging a bit, I found the crowdsecurity/cs-cloud-firewall-bouncer repo which seems to do exactly that. We're willing to add an implementation for Scaleway LB ACLs but wanted to know if we should fork it or if the project is definitively abandoned.
Cheers...