CrowdSec Metrics
CrowdSec is instrumented with Prometheus to provide detailed metrics and traceability.
cscli metrics lets you view a subset of the metrics exposed by CrowdSec. For production-grade dashboards, use the Grafana integration.
The best way to see available metrics is cscli metrics list:
| Type | Title | Description |
|---|---|---|
| acquisition | Acquisition Metrics | Measures lines read, parsed, and unparsed per datasource. Zero read lines indicate a misconfigured or inactive datasource. Zero parsed lines mean the parser(s) failed. Non-zero parsed lines are fine as CrowdSec selects relevant lines. |
| alerts | Local API Alerts | Tracks the total number of past and present alerts for the installed scenarios. |
| appsec-engine | Appsec Metrics | Measures the number of parsed and blocked requests by the AppSec Component. |
| appsec-rule | Appsec Rule Metrics | Provides โper AppSec Componentโ information about the number of matches for loaded AppSec Rules. |
| decisions | Local API Decisions | Provides information about all currently active decisions. Includes both local (crowdsec) and global decisions (CAPI), and lists subscriptions (lists). |
| lapi | Local API Metrics | Monitors the requests made to local API routes. |
| lapi-bouncer | Local API Bouncers Metrics | Tracks total hits to remediation component related API routes. |
| lapi-decisions | Local API Bouncers Decisions | Tracks the number of empty/non-empty answers from LAPI to bouncers that are working in "live" mode. |
| lapi-machine | Local API Machines Metrics | Tracks the number of calls to the local API from each registered machine. |
| parsers | Parser Metrics | Tracks the number of events processed by each parser and indicates success or failure. Zero parsed lines mean the parser(s) failed. Non-zero unparsed lines are fine as CrowdSec selects relevant lines. |
| scenarios | Scenario Metrics | Measures events in different scenarios. Current count is the number of buckets during metrics collection. Overflows are past event-producing buckets, while Expired are ones that did not receive enough events to overflow. |
| stash | Parser Stash Metrics | Tracks the status of stashes that might be created by various parsers and scenarios. |
| whitelists | Whitelist Metrics | Tracks the number of events processed and possibly whitelisted by each parser whitelist. |
Metrics sections
You can use aliases to view metrics related to specific areas (cscli metrics show $alias):
engine: Security Engine metrics (acquisition, parsers, scenarios, whitelists)lapi: Local API metrics (bouncer API calls, local API decisions, machine decisions)appsec: AppSec metrics (requests processed, rules evaluated and triggered)
You can combine sections listed in cscli metrics list.
Example: Security Engine metricsโ
cscli metrics show engine displays the metrics sections related to the Security Engine: acquisition, parsers, scenarios, whitelists, and stash.
Command Output
Acquisition Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฎ
โ Source โ Lines read โ Lines parsed โ Lines unparsed โ Lines poured to bucket โ Lines whitelisted โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ file:/var/log/auth.log โ 636 โ - โ 636 โ - โ - โ
โ file:/var/log/nginx/access.log โ 24 โ 24 โ - โ 1 โ - โ
โ file:/var/log/syslog โ 1.55k โ - โ 1.55k โ - โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโฏ
Parser Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโฎ
โ Parsers โ Hits โ Parsed โ Unparsed โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโค
โ child-crowdsecurity/http-logs โ 72 โ 48 โ 24 โ
โ child-crowdsecurity/nginx-logs โ 24 โ 24 โ - โ
โ child-crowdsecurity/syslog-logs โ 2.18k โ 2.18k โ - โ
โ crowdsecurity/dateparse-enrich โ 24 โ 24 โ - โ
โ crowdsecurity/geoip-enrich โ 24 โ 24 โ - โ
โ crowdsecurity/http-logs โ 24 โ 24 โ - โ
โ crowdsecurity/nginx-logs โ 24 โ 24 โ - โ
โ crowdsecurity/non-syslog โ 24 โ 24 โ - โ
โ crowdsecurity/syslog-logs โ 2.18k โ 2.18k โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโฏ
Scenario Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโฎ
โ Scenario โ Current Count โ Overflows โ Instantiated โ Poured โ Expired โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโค
โ crowdsecurity/http-crawl-non_statics โ - โ - โ 1 โ 1 โ 1 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโฏ
Parser Stash Metrics:
โญโโโโโโโฌโโโโโโโฌโโโโโโโโฎ
โ Name โ Type โ Items โ
โฐโโโโโโโดโโโโโโโดโโโโโโโโฏ
Whitelist Metrics:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโโโโฎ
โ Whitelist โ Reason โ Hits โ Whitelisted โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโโโโค
โ crowdsecurity/whitelists โ private ipv4/ipv6 ip/ranges โ 12 โ 12 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโโโโฏ
