C
CrowdSec3mo ago
alukas

Stuck sending event

Hi there! Yesterday our wordpress systems were under a denial of service attack from quite a large botnet. Not blocking this automatically was probably due to us not having CrowdSec properly configured, but this is something we will figure out. However, upon looking through the logs I've found that quite often we get logs like this (a few dozen lines of the sort each time): 
time="2025-06-03T00:53:43+02:00" level=warning msg="stuck for 100.045065ms sending event to cf940ed6ecee9958fbf45df56908a9621617b293 (sigclosed:0 failed_sent:7099999 attempts:7100000)" cfg=summer-shape name=crowdsecurity/http-probing
time="2025-06-03T00:53:43+02:00" level=warning msg="stuck for 100.045065ms sending event to cf940ed6ecee9958fbf45df56908a9621617b293 (sigclosed:0 failed_sent:7099999 attempts:7100000)" cfg=summer-shape name=crowdsecurity/http-probing
However, the identifier after to is always different. Could you please tell me more about this log? I assumed it was trying to send the event to our LAPI, but the identifier being different each time tells me I'm wrong. Based on our graphs, I couldn't identify a CPU, RAM or network bottleneck either that would cause it to delay (neither on the LAPI neither on the client server).
7 Replies
CrowdSec
CrowdSec3mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus3mo ago
This logs will happen if crowdsec takes too long to pour an event into a bucket (the id you see is the internal id of the bucket). This can happen if crowdsec needs to handle much more logs it can (if you were under a big ddos with the default config, that's probably not surprising, by default we only use 1 CPU core). For this particular error, you can increase the buckets_routines directive
CrowdSec Configuration | CrowdSec
CrowdSec has a main yaml configuration file, usually located in /etc/crowdsec/config.yaml.
iiamloz
iiamloz3mo ago
just note you should increase parser_routines and buckets_routines in unison so both should be the same value.
alukas
alukasOP3mo ago
Alright, that makes perfect sense, thank you! So could it also be that our configurations regarding who to ban were right, it was just too overwhelmed because of this?
iiamloz
iiamloz3mo ago
These logs happen before an alert is made, basically the manager that is monitoring the buckets was struggling to keep up cause so many events were being poured at the same time, increasing the routines means instead of one manager there are multiple working in unison.
alukas
alukasOP3mo ago
Ah, I see! Thank you very much for your help, we'll modify the configs, and hope for the best. Have a great day!
CrowdSec
CrowdSec3mo ago
Resolving Stuck sending event This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?