You may see the IDPS/WAF of CrowdSec referred to as "Security Engine" and Bouncers referred to as "Remediation Components" within new documentation.
This is to better reflect the role of each component within the CrowdSec ecosystem.

Troubleshooting

We have extended our troubleshooting documentation to cover more common issues and questions.
If you have any suggestions for this please open an issue here.

Also, checkout our 🩺 Stack Health-Check page to make sure your Detection, Community Sharing and Remediation are working properly

Console Health Check Issues

If you received a health check alert from the CrowdSec Console, check out the Console Health Check Issues page for a complete list of issues, their trigger conditions, and dedicated troubleshooting guides.

Troubleshooting by Topic

Troubleshooting by Issue

Individual troubleshooting guides for specific Console alerts:

Security Engine Offline - Security Engine not reporting to Console
Engine No Alerts - No alerts generated in 48 hours
Engine Too Many Alerts - Abnormally high alert volume
Log Processor Offline - Log Processor not checking in
LP No Alerts - Log Processor not generating alerts
LP No Logs Read - No logs being acquired
LP No Logs Parsed - Logs read but not parsed
Firewall Integration Offline - Firewall bouncer not pulling decisions
RC Integration Offline - Remediation component not pulling decisions

Community support

Please try to resolve your issue by reading the documentation. If you're unable to find a solution, don't hesitate to seek assistance in:

FAQ

How to report a bug

To report a bug, please open an issue on the affected component's repository:

CrowdSec Repo

CrowdSec Hub Repo

CrowdSec Hub should be used when you have an issue with a parser, scenario or collection.

What license is provided ?

The Security Engine and Remediation Components are provided under MIT license.

How fast is it

The Security Engine can easily handle several thousands of events per second on a rich pipeline (multiple parsers, geoip enrichment, scenarios and so on). Logs are a good fit for sharding by default, so it is definitely the way to go if you need to handle higher throughput.

If you need help for large scale deployment, please get in touch with us on the Form, we love challenges ;)

Why are some scenarios/parsers "tainted" or "custom" ?

When using cscli to list your parsers, scenarios and collections, some might appear as "tainted" or "local".

"tainted" items:

Originate from the hub
Were locally modified
Will not be automatically updated/upgraded by cscli operations (unless --force or similar is specified)
Won't be sent to Central API and won't appear in the Console (unless cscli console enable tainted has been specified)

"local" items:

Have been locally created by the user
Are not managed by cscli operations
Won't be sent to Central API and won't appear in the Console (unless cscli console enable custom has been specified)

Which information is sent to your services ?

See CAPI documentation.

Console Health Check Issues​

Troubleshooting by Topic​

Troubleshooting by Issue​

Community support​

FAQ

How to report a bug​

What license is provided ?​

How fast is it​

Why are some scenarios/parsers "tainted" or "custom" ?​

Which information is sent to your services ?​