CrowdSec can expose a prometheus endpoint for collection (on
http://127.0.0.1:6060/metrics by default).
The goal of this endpoint, besides the usual resources consumption monitoring, aims at offering a view of CrowdSec "applicative" behavior :
- is it processing a lot of logs ? is it parsing them successfully ?
- are a lot of scenarios being triggered ?
- are a lot of IPs banned ?
All the counters are "since CrowdSec start".
cs_buckets: number of scenario that currently exist
cs_bucket_created_total: total number of instantiation of each scenario
cs_bucket_overflowed_total: total number of overflow of each scenario
cs_bucket_underflowed_total: total number of underflow of each scenario (bucket was created but expired because of lack of events)
cs_bucket_poured_total: total number of event poured to each scenario with source as complementary key
#2030 lines from `/var/log/nginx/access.log` were poured to `crowdsecurity/http-scan-uniques_404` scenario
cs_node_hits_total: how many times an event from a specific source was processed by a parser node :
# 235 lines from `auth.log` were processed by the `crowdsecurity/dateparse-enrich` parser
cs_node_hits_ko_total: how many times an event from a specific was unsuccessfully parsed by a specific parser
# 2112 lines from `error.log` failed to be parsed by `crowdsecurity/http-logs`
cs_node_hits_ok_total: how many times an event from a specific source was successfully parsed by a specific parser
cs_parser_hits_total: how many times an event from a source has hit the parser
cs_parser_hits_ok_total: how many times an event from a source was successfully parsed
cs_parser_hits_ko_total: how many times an event from a source was unsuccessfully parsed
Acquisition metrics are split by datasource. The following metrics are available :
cs_cloudwatch_openstreams_total: number of opened stream within group (by group)
cs_cloudwatch_stream_hits_total: number of event read from stream (by group and by stream)
cs_filesource_hits_total: Total lines that were read (by source file)
cs_journalctlsource_hits_total: Total lines that were read (by source filter)
cs_syslogsource_hits_total: Total lines that were received (by the syslog server)
cs_syslogsource_parsed_total: Total lines that were successfully parsed by the syslog server
cs_lapi_route_requests_total: number of calls to each route per method
cs_lapi_machine_requests_total: number of calls to each route per method grouped by machines
cs_lapi_bouncer_requests_total: number of calls to each route per method grouped by bouncers
cs_lapi_decisions_ko_total: number of unsuccessfully responses when bouncers ask for an IP.
cs_lapi_decisions_ok_total: number of successfully responses when bouncers ask for an IP.
cs_info: Information about CrowdSec (software version)
Exploitation with prometheus server & grafana
Those metrics can be scraped by prometheus server and visualized with grafana. They can be downloaded here :