Crowdsec Metrics
Crowdsec is instrumented using prometheus to provide detailed metrics and tracability about what is going on.
The cscli metrics allows you to see a subset of the metrics exposed by crowdsec. For a more industrial solution, look into the Grafana integration.
The best way to get an overview of the available metrics is to use cscli metrics list:
| Type | Title | Description |
|---|---|---|
| acquisition | Acquisition Metrics | Measures the lines read, parsed, and unparsed per datasource. Zero read lines indicate a misconfigured or inactive datasource. Zero parsed lines mean the parser(s) failed. Non-zero parsed lines are fine as crowdsec selects relevant lines. |
| alerts | Local API Alerts | Tracks the total number of past and present alerts for the installed scenarios. |
| appsec-engine | Appsec Metrics | Measures the number of parsed and blocked requests by the AppSec Component. |
| appsec-rule | Appsec Rule Metrics | Provides โper AppSec Componentโ information about the number of matches for loaded AppSec Rules. |
| decisions | Local API Decisions | Provides information about all currently active decisions. Includes both local (crowdsec) and global decisions (CAPI), and lists subscriptions (lists). |
| lapi | Local API Metrics | Monitors the requests made to local API routes. |
| lapi-bouncer | Local API Bouncers Metrics | Tracks total hits to remediation component related API routes. |
| lapi-decisions | Local API Bouncers Decisions | Tracks the number of empty/non-empty answers from LAPI to bouncers that are working in "live" mode. |
| lapi-machine | Local API Machines Metrics | Tracks the number of calls to the local API from each registered machine. |
| parsers | Parser Metrics | Tracks the number of events processed by each parser and indicates success of failure. Zero parsed lines means the parer(s) failed. Non-zero unparsed lines are fine as crowdsec select relevant lines. |
| scenarios | Scenario Metrics | Measure events in different scenarios. Current count is the number of buckets during metrics collection. Overflows are past event-producing buckets, while Expired are the ones that didnโt receive enough events to Overflow. |
| stash | Parser Stash Metrics | Tracks the status of stashes that might be created by various parsers and scenarios. |
| whitelists | Whitelist Metrics | Tracks the number of events processed and possibly whitelisted by each parser whitelist. |
Metrics sections
You can use aliases to view metrics related to specific areas (cscli metrics show $alias):
engine: Security Engine dedicated metrics (acquisition, parsers, scenarios, whitelists)lapi: local api dedicated metrics (bouncer api calls, local api decisions, machines decisions etc.)appsec: application Security Engine - WAF specifics (requests processed, rules evaluated and triggered)
You can as well combine various metrics sections (listed in cscli metrics list).
Example : Security Engine Metricsโ
Using cscli metrics show engine will display the metrics sections relative to the Security Engine itself : acquisition, parsers, scenarios, whitelists and stash.
Command Output
Acquisition Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฎ
โ Source โ Lines read โ Lines parsed โ Lines unparsed โ Lines poured to bucket โ Lines whitelisted โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ file:/var/log/auth.log โ 636 โ - โ 636 โ - โ - โ
โ file:/var/log/nginx/access.log โ 24 โ 24 โ - โ 1 โ - โ
โ file:/var/log/syslog โ 1.55k โ - โ 1.55k โ - โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโฏ
Parser Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโฎ
โ Parsers โ Hits โ Parsed โ Unparsed โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโค
โ child-crowdsecurity/http-logs โ 72 โ 48 โ 24 โ
โ child-crowdsecurity/nginx-logs โ 24 โ 24 โ - โ
โ child-crowdsecurity/syslog-logs โ 2.18k โ 2.18k โ - โ
โ crowdsecurity/dateparse-enrich โ 24 โ 24 โ - โ
โ crowdsecurity/geoip-enrich โ 24 โ 24 โ - โ
โ crowdsecurity/http-logs โ 24 โ 24 โ - โ
โ crowdsecurity/nginx-logs โ 24 โ 24 โ - โ
โ crowdsecurity/non-syslog โ 24 โ 24 โ - โ
โ crowdsecurity/syslog-logs โ 2.18k โ 2.18k โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโฏ
Scenario Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโฎ
โ Scenario โ Current Count โ Overflows โ Instantiated โ Poured โ Expired โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโค
โ crowdsecurity/http-crawl-non_statics โ - โ - โ 1 โ 1 โ 1 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโฏ
Parser Stash Metrics:
โญโโโโโโโฌโโโโโโโฌโโโโโโโโฎ
โ Name โ Type โ Items โ
โฐโโโโโโโดโโโโโโโดโโโโโโโโฏ
Whitelist Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโโโโฎ
โ Whitelist โ Reason โ Hits โ Whitelisted โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโโโโค
โ crowdsecurity/whitelists โ private ipv4/ipv6 ip/ranges โ 12 โ 12 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโโโโฏ
