Skip to main content
Version: Next

Crowdsec Metrics

Crowdsec is instrumented using prometheus to provide detailed metrics and tracability about what is going on. The cscli metrics allows you to see a subset of the metrics exposed by crowdsec. For a more industrial solution, look into the Grafana integration.

The best way to get an overview of the available metrics is to use cscli metrics list:

TypeTitleDescription
acquisitionAcquisition MetricsMeasures the lines read, parsed, and unparsed per datasource. Zero read lines indicate a misconfigured or inactive datasource. Zero parsed lines means the parser(s) failed. Non-zero parsed lines are fine as crowdsec selects relevant lines.
alertsLocal API AlertsTracks the total number of past and present alerts for the installed scenarios.
appsec-engineAppsec MetricsMeasures the number of parsed and blocked requests by the AppSec Component.
appsec-ruleAppsec Rule MetricsProvides “per AppSec Component” information about the number of matches for loaded AppSec Rules.
bouncersBouncer MetricsNetwork traffic blocked by bouncers.
decisionsLocal API DecisionsProvides information about all currently active decisions. Includes both local (crowdsec) and global decisions (CAPI), and lists subscriptions (lists).
lapiLocal API MetricsMonitors the requests made to local API routes.
lapi-bouncerLocal API Bouncers MetricsTracks total hits to remediation component related API routes.
lapi-decisionsLocal API Bouncers DecisionsTracks the number of empty/non-empty answers from LAPI to bouncers that are working in "live" mode.
lapi-machineLocal API Machines MetricsTracks the number of calls to the local API from each registered machine.
parsersParser MetricsTracks the number of events processed by each parser and indicates success of failure. Zero parsed lines means the parser(s) failed. Non-zero unparsed lines are fine as crowdsec select relevant lines.
scenariosScenario MetricsMeasure events in different scenarios. Current count is the number of buckets during metrics collection. Overflows are past event-producing buckets, while Expired are the ones that didn’t receive enough events to Overflow.
stashParser Stash MetricsTracks the status of stashes that might be created by various parsers and scenarios.
whitelistsWhitelist MetricsTracks the number of events processed and possibly whitelisted by each parser whitelist.

Metrics sections

You can use aliases to view metrics related to specific areas (cscli metrics show $alias):

  • engine : Security Engine dedicated metrics (acquisition, parsers, scenarios, whitelists)
  • lapi : local api dedicated metrics (bouncer api calls, local api decisions, machines decisions etc.)
  • appsec : application Security Engine - WAF specifics (requests processed, rules evaluated and triggered)

You can as well combine various metrics sections (listed in cscli metrics list).

Example : Security Engine Metrics

Using cscli metrics show engine will display the metrics sections relative to the Security Engine itself : acquisition, parsers, scenarios, whitelists and stash.

Command Output
Acquisition Metrics:
╭────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────╮
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log │ 636 │ - │ 636 │ - │ - │
│ file:/var/log/nginx/access.log │ 2424 │ - │ 1 │ - │
│ file:/var/log/syslog │ 1.55k │ - │ 1.55k │ - │ - │
╰────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

Parser Metrics:
╭─────────────────────────────────┬───────┬────────┬──────────╮
│ Parsers │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼───────┼────────┼──────────┤
│ child-crowdsecurity/http-logs │ 724824
│ child-crowdsecurity/nginx-logs │ 2424 │ - │
│ child-crowdsecurity/syslog-logs │ 2.18k │ 2.18k │ - │
│ crowdsecurity/dateparse-enrich │ 2424 │ - │
│ crowdsecurity/geoip-enrich │ 2424 │ - │
│ crowdsecurity/http-logs │ 2424 │ - │
│ crowdsecurity/nginx-logs │ 2424 │ - │
│ crowdsecurity/non-syslog │ 2424 │ - │
│ crowdsecurity/syslog-logs │ 2.18k │ 2.18k │ - │
╰─────────────────────────────────┴───────┴────────┴──────────╯

Scenario Metrics:
╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-crawl-non_statics │ - │ - │ 111
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Parser Stash Metrics:
╭──────┬──────┬───────╮
│ Name │ Type │ Items │
╰──────┴──────┴───────╯

Whitelist Metrics:
╭──────────────────────────┬─────────────────────────────┬──────┬─────────────╮
│ Whitelist │ Reason │ Hits │ Whitelisted │
├──────────────────────────┼─────────────────────────────┼──────┼─────────────┤
│ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 1212
╰──────────────────────────┴─────────────────────────────┴──────┴─────────────╯