View Details
Data comes in through the parsers. To see what they are doing, let’s take a look at the Acquisition and Parser metrics.
sudo cscli metrics
Most of the ‘Acquisition Metrics’ lines will be read and parsed, but not all. Some entries don’t have anything a scenario can use. For example, when reading the SSH logs, the parser quits early if there’s not even an IP address.
sudo cscli metrics show acquisition
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics │
├────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/caddy/access.log │ 1 │ 1 │ - │ 1 │ - │
│ file:/var/log/caddy/www.some.org.log │ 15 │ 15 │ - │ 18 │ - │
╰────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
“Lines poured to bucket” is the interesting column. If it matches a scenario, the parser ‘pours’ the event into a scenario’s ‘bucket’. Some get poured into multiple scenarios. Tha can make the “Lines poured” larger than the number of lines, like above.
Let’s take a look at what scenarios were matched.
sudo cscli metrics show scenarios
╭────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scenario Metrics │
├──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-crawl-non_statics │ 2 │ - │ 13 │ 14 │ 11 │
│ crowdsecurity/http-probing │ 2 │ - │ 5 │ 5 │ 3 │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯
There are two scenarios matched. But while lines were poured in, nothing ‘Overflowed’. Sometimes people just type their password wrong or there’s a bad link in a web page. So the scenarios have threshold before action is taken.
You can take a look at the scenario to see what it’s looking for as well. Here’s the key lines:
# Let's look at the definition for http-probing
sudo cscli hub list
sudo cat /etc/crowdsec/hub/scenarios/crowdsecurity/http-probing.yaml
...
...
description: "Detect site scanning/probing from a single ip"
filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parsed.static_ressource == 'false'"
...
capacity: 10
leakspeed: "10s"
...
It’s looking for HTTP events with 400’s that are not static resources. The capacity 10 means more than 10 events from a single IP triggers an alert. A leakspeed of 10s means to expire events that many seconds after they enter the bucket.
After a while, you’ll see something overflow and generate an alert and a decision.
╭────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scenario Metrics │
├──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-crawl-non_statics │ 2 │ - │ 65 │ 78 │ 63 │
│ crowdsecurity/http-generic-bf │ - │ 3 │ 5 │ 24 │ 2 │
│ crowdsecurity/http-probing │ 2 │ - │ 26 │ 26 │ 24 │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯
sudo cscli alerts list
╭─────┬───────────────────┬───────────────────────────────┬─────────┬──────────────────────────────────┬───────────┬──────────────────────╮
│ ID │ value │ reason │ country │ as │ decisions │ created_at │
├─────┼───────────────────┼───────────────────────────────┼─────────┼──────────────────────────────────┼───────────┼──────────────────────┤
│ 117 │ Ip:20.114.185.119 │ crowdsecurity/http-generic-bf │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ ban:1 │ 2026-02-06T18:11:51Z │
╰─────┴───────────────────┴───────────────────────────────┴─────────┴──────────────────────────────────┴───────────┴──────────────────────╯
sudo cscli decision list
╭────────┬──────────┬───────────────────┬───────────────────────────────┬────────┬─────────┬──────────────────────────────────┬────────┬────────────┬──────────╮
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├────────┼──────────┼───────────────────┼───────────────────────────────┼────────┼─────────┼──────────────────────────────────┼────────┼────────────┼──────────┤
│ 904849 │ crowdsec │ Ip:20.114.185.119 │ crowdsecurity/http-generic-bf │ ban │ US │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ 6 │ 3h39m30s │ 117 │
╰────────┴──────────┴───────────────────┴───────────────────────────────┴────────┴─────────┴──────────────────────────────────┴────────┴────────────┴──────────╯
An overflow generates an alert and a decision. That decision (to block) will stay in place for 4 hours until it expires but the alert will remain as a historical record.
Your bouncers will enforce the decisions and you can check them as well.
# Run this wherever your firewall bouncer is running
nft list ruleset | grep 20.114.185.119
elements = { 20.114.185.119 timeout 3h59m57s expires 3h33m25s132ms,
# If you're using the caddy bouncer
caddy crowdsec check 20.114.185.119
blocked: true
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.