metrics not showing in webapp
hey, I just set up crowdsec with traefik and enrolled to the crowdsec webapp. there are no alerts showing up, but
cscli metrics shows some scans etc. does it take some time to show them or did I set up something wrong. not sure. any help is appreciated.
(I tested with manual ip ban rules that crowdsec works)33 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Hello,
We have identified an issue where the display of alerts in the console is delayed, we are working on a fix
thank you for your reply. what's the time definition of delayed? I still don't see any alerts and it has been running for over 12 hours
from what we saw, around 2h
but we are still investigating the exact cause
could you paste the output of
cscli alerts list ?We found the issue, the delay is actually a bit "luck based" (tl;dr: we treat signals users send in batch, and we had some signals that contained data that was not properly handled by the console, which led to the entire batch being dropped. The system will retry automatically, but whether your data was inserted is dependant on the entire batch being "clean", so it can take a lot of retries)
I am not sure if my traefik container picks up the logs correctly from traefik. is there a way to check this? The volumes are mounted correct
cscli metrics should tell you if the logs are read/parsed properly (1st table)
You can also do cscli machines list to get the name of the log processor, then cscli machines inspect <name> to get more detailled information about what is read/what is parsedah
so yeah, nothing is read
(the section will not exist until at least one line has been read)
the decisions you see are from the community blocklist
understood
can you show the content of your acquisition configuration ?
that's probably what I am missing
you are talking about the
acquis.d folder?
if yes, it is empty -> I don't have one
ah, nvm.
this one is a placeholder when running crowdsec in docker
you need to create a new one in acquis.d to read your traefik logs
for example, assuming traefik logs are mounted in
/logs in the crowdsec container:
Mount this in /etc/crowdsec/acquis.d/traefik.yaml and it should be goodI created
/etc/crowdsec/acquis.d/traefik.yaml
my docker volume for the logs:
-v '/mnt/user/appdata/docker/pangolin/config/traefik/':'/logs/traefik':'ro'and you also need to make sure the
crowdsecurity/traefik collection is installed in the container (add it in the COLLECTIONS env var)cool 🙂
this is already the case
@blotus why is only
traefik_access.log picked up and not the traefik.log
and btw. thank you very much for your help. it is much appreciated 🫶a file will only appear in metrics after at least one line has been written to it since crowdsec start
so it will appear eventually?
if something gets written to it, yes
ah, now those got blocked from traefik:
I also have geoblock enabled. does it make sense to have crowdsec before or after geoblock?
both are fine
Geoblock after crowdsec will log more alerts, which means more information about what is actually happening
Geoblock before will drop IPs you don't want to see anyway, so you don't actually care about what they're doing
Resolving metrics not showing in webapp
This has now been resolved. If you think this is a mistake please run
/unresolve
Unresolving metrics not showing in webapp
This has now been unresolved.I just noticed that I get banned if I click around in the traefik web UI for
http-crawl-non_statics, do I really have to whitelist my IP? why is it doing that?crawl non static will trigger if you make too many requests in a short timeframe (roughly anything more than 40 requests in 20seconds on average)
you can see more details about what caused that by running
cscli alerts list to get the alert id and then cscli alerts inspect -d <alert_id>
whitelisting your own IP is probably the easiest way to workaround this
in the container, you can run:
no need to restart, it will be automatically used by crowdsec, and any existing decisions on your IP will be automatically removedthank you. I was doing stuff locally, why did it ban my ISPs IP?
(I am using pangolin as a reverse proxy, no tunnels. and obv. traefik)
crowdsec bans the IP it sees in the logs, so this means you somehow hit it from your public IP even if it runs on your LAN (eg, you accessed the service from a domain that resolves to your public IP)
CrowdSec will ban IPs it sees in your logs that are seen doing malicious events. It's not some magical system that somehow knows this address is your ISP or your home address.
We provide ample documentation on white/allow listing https://docs.crowdsec.net/u/getting_started/post_installation/whitelists
Whitelists | CrowdSec
Whitelists are a way to tell CrowdSec to ignore certain events or IP addresses. This can be useful if you have a static IP address that you know is safe, or if you have a service that could generates a lot of false triggers by loading alot of thumbnails, images or fonts.
I get that, but why is it not detecting me as a local ip? Sorry for this stupid question. Is it because of the reverse proxy?
Because pangolin is on an external VPS your requests leave your local network to come back into it.
You said no tunnels so it depends, you using cloudflare or an external domain name?