Command line

sudo cscli metrics

This command provides an overview of crowdsec-agent statistics provided by prometheus client. By default it assumes that the crowdsec-agent is installed on the same machine.

The metrics are split in 3 main sections :

  • Acquisition metrics : How many lines were read from which sources, how many were successfully or unsuccessfully parsed, and how many of those lines ultimately ended up being poured to a bucket.
  • Parser metrics : How many lines were fed (eligible) to each parser, and how many of those were successfully or unsuccessfully parsed.
  • Bucket metrics : How many time each scenario lead to a bucket instantiation, and for each of those :
    • how many times it overflowed
    • how many times it expired (underflows)
    • how many subsequent events were poured to said bucket

Hint

These metrics should help you identify potential configuration errors.

For example, if you have a source that has mostly unparsed logs, you know you might be missing some parsers. As well, if you have scenarios that are never instantiated, it might be a hint that they are not relevant to your configuration.

cscli metrics example
$ sudo cscli metrics

INFO[0000] Buckets Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
|                BUCKET                | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-bad-user-agent    | -             | -         |           10 |     10 |      10 |
| crowdsecurity/http-crawl-non_statics | -             | -         |           91 |    119 |      91 |
| crowdsecurity/http-probing           | -             | -         |            2 |      2 |       2 |
| crowdsecurity/http-sensitive-files   | -             | -         |            1 |      1 |       1 |
| crowdsecurity/ssh-bf                 |            13 |      6314 |         8768 |  46772 |    2441 |
| crowdsecurity/ssh-bf_user-enum       |             6 | -         |         7646 |  14406 |    7640 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[0000] Acquisition Metrics:
+---------------------------+------------+--------------+----------------+------------------------+
|          SOURCE           | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+---------------------------+------------+--------------+----------------+------------------------+
| /var/log/auth.log         |     105476 |        46772 |          58704 |                  61178 |
| /var/log/messages         |          2 | -            |              2 | -                      |
| /var/log/nginx/access.log |        138 |          111 |             27 |                    100 |
| /var/log/nginx/error.log  |        312 |           68 |            244 |                     32 |
| /var/log/syslog           |      31919 | -            |          31919 | -                      |
+---------------------------+------------+--------------+----------------+------------------------+
INFO[0000] Parser Metrics:
+--------------------------------+--------+--------+----------+
|            PARSERS             |  HITS  | PARSED | UNPARSED |
+--------------------------------+--------+--------+----------+
| child-crowdsecurity/http-logs  |    537 |    257 |      280 |
| child-crowdsecurity/nginx-logs |    789 |    179 |      610 |
| child-crowdsecurity/sshd-logs  | 436048 |  46772 |   389276 |
| crowdsecurity/dateparse-enrich |  46951 |  46951 | -        |
| crowdsecurity/geoip-enrich     |  46883 |  46883 | -        |
| crowdsecurity/http-logs        |    179 |     66 |      113 |
| crowdsecurity/nginx-logs       |    450 |    179 |      271 |
| crowdsecurity/non-syslog       |    450 |    450 | -        |
| crowdsecurity/sshd-logs        | 104386 |  46772 |    57614 |
| crowdsecurity/syslog-logs      | 137397 | 137395 |        2 |
| crowdsecurity/whitelists       |  46951 |  46951 | -        |
+--------------------------------+--------+--------+----------+
INFO[0000] Local Api Metrics:
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /v1/alerts           | GET    |    4 |
| /v1/alerts           | POST   | 5400 |
| /v1/decisions/stream | GET    | 7694 |
| /v1/watchers/login   | POST   |   27 |
+----------------------+--------+------+
INFO[0000] Local Api Machines Metrics:
+----------------------------------+------------+--------+------+
|             MACHINE              |   ROUTE    | METHOD | HITS |
+----------------------------------+------------+--------+------+
| 7f0607a3469243139699bf2f30321fc4 | /v1/alerts | GET    |    4 |
| 7f0607a3469243139699bf2f30321fc4 | /v1/alerts | POST   | 5400 |
+----------------------------------+------------+--------+------+
INFO[0000] Local Api Bouncers Metrics:
+------------------------------+----------------------+--------+------+
|           BOUNCER            |        ROUTE         | METHOD | HITS |
+------------------------------+----------------------+--------+------+
| cs-firewall-bouncer-n3W19Qua | /v1/decisions/stream | GET    | 7694 |
+------------------------------+----------------------+--------+------+