Security Engine Offline
The Security Engine Offline indicates that an enrolled Security Engine has not reported or logged into CrowdSec Central API for more than 48 hours.
This usually means the core crowdsec service has stopped working or communicating with our infrastructure.
What Triggers This Issue
- Trigger condition: No contact with Console for 48 hours
- Criticality: 🔥 Critical
- Impact: Complete loss of visibility and protection coordination
Common Root Causes
- Host or service down: The CrowdSec service has stopped or the host itself is unreachable.
- Console connectivity issues: Network, firewall, or proxy blocking HTTPS calls to Console endpoints, or TLS validation failures.
Diagnosis & Resolution
Host or service down
🔎 Check if CrowdSec service is running
Check that the crowdsec service is running:
sudo systemctl status crowdsec
sudo journalctl -u crowdsec -n 50
Run this command for Docker or Kubernetes
docker ps --filter name=crowdsec
kubectl get pods -n crowdsec
If the host itself is unreachable (hypervisor, VM, or cloud instance down), the Console cannot receive a heartbeat and marks the engine offline.
🛠️ Restart the Security Engine service
Restart the Security Engine service:
sudo systemctl restart crowdsec
For Docker or Kubernetes
Docker:
docker restart crowdsec
Kubernetes:
kubectl rollout restart deployment/crowdsec -n crowdsec
After restarting, re-run sudo cscli console status to ensure the heartbeat is restored.
Console connectivity issues
🔎 Check console status and logs for connectivity errors
sudo cscli console status may show errors such as permission denied, unable to reach console, or TLS failures. Inspect /var/log/crowdsec/crowdsec.log (or container stdout) for more details.
Let's confirm that your Security Engine can communicate with the CrowdSec Central API (CAPI).
sudo cscli capi status
Let's also check that the security engine's Local API is running and is healthy.
sudo cscli machines list
In a standalone install you should see one machine, check the Last update time.
Ensure outbound access to the CrowdSec Console endpoints listed in Network management. Firewalls or proxy changes often block the HTTPS calls required for heartbeats.
Verify system time is synced (via NTP). Large clock drifts can invalidate console tokens.
🛠️ Restore connectivity to the Console
Restore connectivity to the Console:
-
Check that you can access crowdsec services and APIs listed in network management
-
If a proxy is required, configure it in
/etc/crowdsec/config.yamlundercommon.http_proxiesand reload the service. -
Renew TLS trust stores if the host cannot validate the Console certificate chain.
Test connectivity:
curl -I https://api.crowdsec.net/
For CAPI connectivity issues you can follow the posts-install health check step for connectivity.
In the rare case you saw zero machines in your machines list, try:
sudo cscli machine add --auto --force
Verify Resolution
After making changes:
Restart or reload CrowdSec: sudo systemctl restart crowdsec
-
Check engine status:
sudo cscli console status -
Verify in the Console the security engine "last activity" date
Once the engine resumes contact, the Console clears the Security Engine Offline alert during the next poll.
💡 Consider enabling the Security Engine Offline notification in your preferred integration so future outages are caught quickly.
Related Issues
- Log Processor Offline - If specific agents are offline
- Security Engine Troubleshooting - General Security Engine issues
Getting Help
If you still don't manage to resume your Security Engine heartbeat towards CrowdSec Console:
