Skip to main content

Troubleshooting Remediation Components

Community support

Please try to resolve your issue by reading the documentation. If you're unable to find a solution, don't hesitate to seek assistance in:

info

{component} is used as a placeholder for the name of the component you are using. For example crowdsec-firewall-bouncer for the firewall bouncer.

Health

How to check the status

  sudo systemctl status {component}

Configuration

Where is configuration stored?

Configuration files by default are located in:

  • Linux /etc/crowdsec/bouncers/
  • Freebsd /usr/local/etc/crowdsec/bouncers/
  • Windows C:\Program Files\CrowdSec\bouncers\

Logs

Where are the logs stored?

By default Remediation components will log to the following locations depending on platform:

  • Linux /var/log/{component}.log
  • Freebsd /var/log/{component}.log
    • Opnsense /var/log/crowdsec/{component}.log
    • Pfsense /var/log/crowdsec/{component}.log
  • Windows C:\ProgramData\CrowdSec\log\{component}.log

Filtering logs to only show errors

You can use the os related commands to filter the logs to only show errors.

  sudo grep -E "level=(error|fatal)" {component}.log

Please make sure the log location is correct for your distribution.

My Remediaton Component is not showing any error messages within its log file but its failing to start/work

Most likely means the bouncer is failing to decode the configuration file provided. To find which line is causing the issue, you can use systemd/journalctl to get the error message:

sudo systemctl status <bouncer-service-name> -l
sudo journalctl -u <bouncer-service-name> -l

Common Issues

Cannot connect to the local API

  • error message might look like:
level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: connection refused"
  • solution verify that the local API runs on the logged IP and port. If the logged IP and port is incorrect, you can edit the bouncer configuration file. If the logged IP and port is correct, verify that the local API is running.

Cannot authenticate to the local API

  • error message might look like:
time="19-04-2022 15:43:07" level=error msg="API error: access forbidden"
  • solution regenerate the API key via cscli bouncers and replace the old one in the bouncer configuration file. Do not attempt to use the same name for the API key as it will not work.