Troubleshooting Remediation Components
Community support
Please try to resolve your issue by reading the documentation. If you're unable to find a solution, don't hesitate to seek assistance in:
{component}
is used as a placeholder for the name of the component you are using. For example crowdsec-firewall-bouncer
for the firewall bouncer.
Health
How to check the status
- Linux/Freebsd
- Windows
sudo systemctl status {component}
Get-Service {component}
Configuration
Where is configuration stored?
Configuration files by default are located in:
- Linux
/etc/crowdsec/bouncers/
- Freebsd
/usr/local/etc/crowdsec/bouncers/
- Windows
C:\ProgramData\CrowdSec\bouncers\
Logs
Where are the logs stored?
By default Remediation components will log to the following locations depending on platform:
- Linux
/var/log/{component}.log
- Freebsd
/var/log/{component}.log
- Opnsense
/var/log/crowdsec/{component}.log
- Pfsense
/var/log/crowdsec/{component}.log
- Opnsense
- Windows
C:\ProgramData\CrowdSec\log\{component}.log
Filtering logs to only show errors
You can use the os related commands to filter the logs to only show errors.
- Linux/Freebsd
- Windows
sudo grep -E "level=(error|fatal)" /var/log/{component}.log
- Powershell
- CMD
Select-String "level=(error|fatal)" C:\ProgramData\CrowdSec\log\{component}.log
findstr "level=error level=fatal" C:\ProgramData\CrowdSec\log\{component}.log
Please make sure the log location matches your distribution.
My Remediaton Component is not showing any error messages within its log file but its failing to start/work
Most likely means the bouncer is failing to decode the configuration file provided. To find which line is causing the issue, you can use systemd/journalctl to get the error message:
sudo systemctl status <bouncer-service-name> -l
sudo journalctl -u <bouncer-service-name> -l
Common Issues
Cannot connect to the local API
- error message might look like:
level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: connection refused"
- solution verify that the local API runs on the logged IP and port. If the logged IP and port is incorrect, you can edit the bouncer configuration file. If the logged IP and port is correct, verify that the local API is running.
Cannot authenticate to the local API
- error message might look like:
time="19-04-2022 15:43:07" level=error msg="API error: access forbidden"
- solution regenerate the API key via cscli bouncers and replace the old one in the bouncer configuration file. Do not attempt to use the same name for the API key as it will not work.