Stuck sending event

Hi there!
Yesterday our wordpress systems were under a denial of service attack from quite a large botnet. Not blocking this automatically was probably due to us not having CrowdSec properly configured, but this is something we will figure out.

However, upon looking through the logs I've found that quite often we get logs like this (a few dozen lines of the sort each time):

time="2025-06-03T00:53:43+02:00" level=warning msg="stuck for 100.045065ms sending event to cf940ed6ecee9958fbf45df56908a9621617b293 (sigclosed:0 failed_sent:7099999 attempts:7100000)" cfg=summer-shape name=crowdsecurity/http-probing

time="2025-06-03T00:53:43+02:00" level=warning msg="stuck for 100.045065ms sending event to cf940ed6ecee9958fbf45df56908a9621617b293 (sigclosed:0 failed_sent:7099999 attempts:7100000)" cfg=summer-shape name=crowdsecurity/http-probing

However, the identifier after

to

to

is always different. Could you please tell me more about this log?
I assumed it was trying to send the event to our LAPI, but the identifier being different each time tells me I'm wrong.
Based on our graphs, I couldn't identify a CPU, RAM or network bottleneck either that would cause it to delay (neither on the LAPI neither on the client server).

CrowdSec•6/3/25, 6:34 AM

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type

/unresolve

/unresolve

•

6/3/25, 9:46 AM

blotus•6/3/25, 8:39 AM

This logs will happen if crowdsec takes too long to pour an event into a bucket (the id you see is the internal id of the bucket).

This can happen if crowdsec needs to handle much more logs it can (if you were under a big ddos with the default config, that's probably not surprising, by default we only use 1 CPU core).

For this particular error, you can increase the buckets_routines directive

CrowdSec Configuration | CrowdSec

CrowdSec has a main yaml configuration file, usually located in /etc/crowdsec/config.yaml.

Loz•6/3/25, 8:48 AM

just note you should increase and in unison so both should be the same value.

alukasOP•6/3/25, 9:11 AM

Alright, that makes perfect sense, thank you!
So could it also be that our configurations regarding who to ban were right, it was just too overwhelmed because of this?

Aalukas Alright, that makes perfect sense, thank you! So could it also be that our confi...

Loz•6/3/25, 9:20 AM

These logs happen before an alert is made, basically the manager that is monitoring the buckets was struggling to keep up cause so many events were being poured at the same time, increasing the routines means instead of one manager there are multiple working in unison.

alukasOP•6/3/25, 9:46 AM

Ah, I see!
Thank you very much for your help, we'll modify the configs, and hope for the best.
Have a great day!

CCrowdSec Empty message

CrowdSecAPP•6/3/25, 9:46 AM

Resolving Stuck sending event

CrowdSec•6/3/25, 9:46 AM

This has now been resolved. If you think this is a mistake please run

/unresolve

/unresolve