From e3f6cb104b29c773a8bf059bd7a4cc3c335803e4 Mon Sep 17 00:00:00 2001 From: jdv Date: Mon, 23 Jun 2025 17:18:34 +0200 Subject: [PATCH 1/9] adding additionnal hint for cscli/crowdsec issues --- .../unversioned/getting_started/health_check.mdx | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index 6bf9c3cb5..212f8db5a 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -183,7 +183,7 @@ Were all the tests related to your setup successful?
⚙️ CrowdSec Service Troubleshooting -- is the CrowdSec service running? - + Let’s check if the CrowdSec service is active: sudo systemctl status crowdsec - ☑️ You should see: "**active (running)**" @@ -196,12 +196,17 @@ Were all the tests related to your setup successful? For linux systems, the logs are typically located in `/var/log/crowdsec.log`. less /var/log/crowdsec.log - Common reasons the service might fail:: + If you got an error trying to run the `cscli` or trying to start `crowdsec`. + Common reasons the service might fail: - Misconfiguration in the `config.yaml` file. - Port conflicts with other services. By default, CrowdSec uses port 8080 for the Local API (LAPI) and port 6060 for the Local API metrics. - The port configuration can be setup in `config.yaml` file or by setting the environment variables depending on your implementation - Insufficient permissions to access the log files or directories. - Acquisition files format errors. + + Other more low level reasons might be: + - `cscli` doesn't exist in your $PATH hence can't be called from anywhere. + - You might not have `sudo` permissions to run the command or privileges on the config.yaml file used when running `cscli` or `crowdsec`.
From 31494d9404b157eee10b81ab38888428b3750af8 Mon Sep 17 00:00:00 2001 From: jdv Date: Mon, 23 Jun 2025 17:19:25 +0200 Subject: [PATCH 2/9] healthcheck version udpate --- crowdsec-docs/unversioned/getting_started/health_check.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index 212f8db5a..ca967990f 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -9,7 +9,7 @@ import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; import CodeBlock from '@theme/CodeBlock'; -Health Check Version: 0.1.0 +Health Check Version: 0.2.0 Welcome to the interactive Health-Check of your CrowdSec setup. We'll guide you through a series of tests to ensure that your Security Stack is fully functional and ready to protect your services: From 54de09591d270a4c0cddeb1f3770ffe4d60f1c8a Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 2 Oct 2025 11:00:03 +0200 Subject: [PATCH 3/9] tabs per system --- .../getting_started/health_check.mdx | 588 +++++++++++++++--- 1 file changed, 505 insertions(+), 83 deletions(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index ca967990f..2ff02abf7 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -40,7 +40,18 @@ We'll trigger the dummy scenario `crowdsecurity/http-generic-test` by accessing curl -I https://\/crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl 2️⃣ Confirm the alert has triggered for the scenario `crowdsecurity/http-generic-test` -sudo cscli alerts list | grep crowdsecurity/http-generic-test + + + + sudo cscli alerts list | grep crowdsecurity/http-generic-test + + + docker exec crowdsec cscli alerts list | grep crowdsecurity/http-generic-test + + + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list | grep crowdsecurity/http-generic-test + + **Notes:** - Requests from private IP addresses won't trigger alerts (private IPs are whitelisted by default). @@ -57,7 +68,18 @@ We'll trigger the dummy scenario `crowdsecurity/ssh-generic-test` by attempting ssh crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl@\ 2️⃣ Confirm the alert has triggered for the scenario `crowdsecurity/ssh-generic-test` -sudo cscli alerts list | grep crowdsecurity/ssh-generic-test + + + + sudo cscli alerts list | grep crowdsecurity/ssh-generic-test + + + docker exec crowdsec cscli alerts list | grep crowdsecurity/ssh-generic-test + + + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list | grep crowdsecurity/ssh-generic-test + + **Notes:** - This scenario can only be triggered again after a 5-minutes delay. @@ -75,7 +97,18 @@ We'll trigger the dummy scenario `crowdsecurity/appsec-generic-test` by accessin curl -I https://\/crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl 2️⃣ Confirm the alert has triggered for the scenario `crowdsecurity/appsec-generic-test` -sudo cscli alerts list | grep crowdsecurity/appsec-generic-test + + + + sudo cscli alerts list | grep crowdsecurity/appsec-generic-test + + + docker exec crowdsec cscli alerts list | grep crowdsecurity/appsec-generic-test + + + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list | grep crowdsecurity/appsec-generic-test + + **Notes:** - This scenario can only be triggered again after a 1-minute delay. @@ -108,9 +141,24 @@ Were all the tests related to your setup successful? Multiple log sources can be defined in the acquisition(s) configuration files and they support diverse datasources (files, syslog, etc.). For more details you can refer to the [datasources documentation](https://doc.crowdsec.net/docs/next/log_processor/data_sources/intro). - We'll look at the security engine **metrics** to see if logs are **being read** and if what's read is **parsed correctly**. + We'll look at the security engine **metrics** to see if logs are **being read** and if what's read is **parsed correctly**. We'll do that using the `cscli metrics` command: - sudo cscli metrics show acquisition parsers + + + + sudo cscli metrics show acquisition parsers + + + docker exec crowdsec cscli metrics show acquisition parsers + + + {`# For LAPI pod +kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli metrics show acquisition parsers + +# For all agent pods +for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o name); do kubectl exec -n crowdsec -it $i -- cscli metrics show acquisition parsers; done`} + + Under **Acquisition Metrics** you should see: - The source name of the log files or streams that have been read and the number of lines read and parsed for each of them. @@ -136,77 +184,294 @@ Were all the tests related to your setup successful?
📥 Acquisition Troubleshooting -- Are your logs properly declared as datasources - CrowdSec needs to know where to **read your logs**. This is handled by the **acquisition configuration**, usually found in `acquis.yaml` or in files under `acquis.d/` inside the CrowdSec config directory. - On Debian like OS it is typically located in `/etc/crowdsec/`. + CrowdSec needs to know where to **read your logs**. The configuration varies by deployment method: - To troubleshoot: + + + + The **acquisition configuration** is usually found in `acquis.yaml` or in files under `acquis.d/` inside the CrowdSec config directory. + On Debian-like OS it is typically located in `/etc/crowdsec/`. + + **To troubleshoot:** - The detailed doc about the acquisition configuration can be found [here](https://doc.crowdsec.net/docs/next/log_processor/acquisition/intro). - Check your acquisition files exist and that the datasources are properly setup. - - 💡 Hint: + - 💡 Hint: - The hub page of the collection you installed provides an example of the acquisition configuration file to create. - For example: - - The [NGINX collection hub page ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/nginx) + - The [NGINX collection hub page ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/nginx) - Or the [SSHD collection hub page ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/sshd) (that is contained in the Linux Collection). - - Make sure that the **type** declared in the matches the **parser** expected to be used: nginx, apache, syslog, etc. + - Make sure that the **type** declared matches the **parser** expected to be used: nginx, apache, syslog, etc. + + + + + In Docker, logs must be accessible to the container through volumes. + + **Common issues:** + - **Missing volume mounts**: Ensure log directories are mounted in your container. + ```yaml + volumes: + - /var/log:/var/log:ro # Mount logs as read-only + ``` + - **Acquisition configuration**: Your `acquis.yaml` should reference paths inside the container. + - **Log file permissions**: CrowdSec container user must have read access to log files. + - **Shared log volumes**: For multi-container setups, ensure logs are written to a shared named volume: + ```yaml + volumes: + - logs:/var/log/nginx # Shared volume for logs + ``` + + **To check your acquisition config:** + ```bash + docker exec crowdsec cat /etc/crowdsec/acquis.yaml + ``` + + + + + In Kubernetes, CrowdSec reads logs directly from pods using the Kubernetes API. + + **Configuration is done in your Helm values file:** + ```yaml + agent: + acquisition: + - namespace: your-namespace + podName: your-pod-* + program: nginx # Must match parser name + ``` + + **Common issues:** + - **Wrong namespace or pod names**: Verify pods exist with `kubectl get pods -n ` + - **Incorrect program name**: The `program` field must match an available parser (nginx, traefik, apache, etc.) + - **Container runtime mismatch**: Set `container_runtime: containerd` or `container_runtime: docker` in values.yaml + - **RBAC permissions**: CrowdSec needs permissions to read pod logs. Check with: + ```bash + kubectl auth can-i list pods --as=system:serviceaccount:crowdsec:crowdsec-agent + kubectl auth can-i get pods/log --as=system:serviceaccount:crowdsec:crowdsec-agent + ``` + + **Note:** Unlike standalone deployments, you use `program:` instead of `type:` in Kubernetes acquisitions. + + + +
📦 Collection Troubleshooting -- Are the right parsers and scenarios installed? CrowdSec, via its [**Hub** ↗️](https://app.crowdsec.net/hub/collections) uses collections to package correct parsers and detection scenarios for your services. - - On regular **host** installations, CrowdSec usually detects your services (like nginx or ssh) and installs the appropriate collections automatically. - - On **Docker**, **Kubernetes**, or **custom setups**, you may need to install them manually. - #### 🔍 To check what's currently installed: - sudo cscli collections list + + + + On regular **host** installations, CrowdSec usually detects your services (like nginx or ssh) and installs the appropriate collections automatically. + + **🔍 To check what's currently installed:** + ```bash + sudo cscli collections list + ``` You can also list individual parsers and scenarios with: - sudo cscli parsers list - sudo cscli scenarios list - + ```bash + sudo cscli parsers list + sudo cscli scenarios list + ``` + - Look for entries related to your service (e.g., nginx, apache, ssh). - - If they’re listed, the right collection is likely installed. - - #### 📥 Install missing collections - 1. Visit the [CrowdSec Hub ↗️](https://hub.crowdsec.net/) and search for a collection matching your service, like: - - [nginx ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/nginx) - - [apache ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/apache) - - [linux ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/linux) - - etc... - 2. Follow the installation instructions on the collection’s page, including any required acquisition setup. - - #### ⚠️ Log format mismatch - - If your logs don’t follow the expected format (e.g., they’ve been customized), CrowdSec might not parse them properly. + - If they're listed, the right collection is likely installed. + + **📥 Install missing collections:** + 1. Visit the [CrowdSec Hub ↗️](https://hub.crowdsec.net/) and search for a collection matching your service + 2. Install with: + ```bash + sudo cscli collections install crowdsecurity/nginx + sudo systemctl reload crowdsec + ``` + + + + + In Docker, collections must be installed via the `COLLECTIONS` environment variable or manually. + + **🔍 To check what's currently installed:** + ```bash + docker exec crowdsec cscli collections list + ``` + + **📥 Install collections:** + + **Method 1: Environment variable (recommended)** + ```yaml + environment: + COLLECTIONS: "crowdsecurity/nginx crowdsecurity/linux" + ``` + Then restart the container. + + **Method 2: Manual installation** + ```bash + docker exec crowdsec cscli collections install crowdsecurity/nginx + docker restart crowdsec + ``` + + **Common issues:** + - Collections not persisting: Ensure `/etc/crowdsec/` is mounted as a volume + - Collections installed but not working: Restart the container after installation + + + + + In Kubernetes, collections must be specified in your Helm values file. + + **🔍 To check what's currently installed:** + ```bash + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli collections list + ``` + + **📥 Install collections:** + + Add to your `values.yaml`: + ```yaml + agent: + env: + - name: COLLECTIONS + value: "crowdsecurity/traefik crowdsecurity/nginx" + ``` + + Then upgrade your Helm release: + ```bash + helm upgrade crowdsec crowdsec/crowdsec -n crowdsec -f values.yaml + ``` + + **Common issues:** + - Collections must match your acquisition `program:` field + - Each agent pod processes different logs, verify on the right pod + - LAPI doesn't need collections, only agents do + + + + + **⚠️ Log format mismatch:** + - If your logs don't follow the expected format (e.g., they've been customized), CrowdSec might not parse them properly. - You can find more information on how to create your own parsers in the [CrowdSec documentation](https://doc.crowdsec.net/docs/next/log_processor/parsers/format).
⚙️ CrowdSec Service Troubleshooting -- is the CrowdSec service running? - - Let’s check if the CrowdSec service is active: - sudo systemctl status crowdsec + + + + + Let's check if the CrowdSec service is active: + ```bash + sudo systemctl status crowdsec + ``` - ☑️ You should see: "**active (running)**" - If the service is not running, you can start it manually: - sudo systemctl start crowdsec - - 💡 make sure it will be up after restart, activate the service - - If the service fails to start, you can check the logs for more information: - For linux systems, the logs are typically located in `/var/log/crowdsec.log`. - less /var/log/crowdsec.log - - If you got an error trying to run the `cscli` or trying to start `crowdsec`. - Common reasons the service might fail: - - Misconfiguration in the `config.yaml` file. - - Port conflicts with other services. By default, CrowdSec uses port 8080 for the Local API (LAPI) and port 6060 for the Local API metrics. - - The port configuration can be setup in `config.yaml` file or by setting the environment variables depending on your implementation - - Insufficient permissions to access the log files or directories. - - Acquisition files format errors. - - Other more low level reasons might be: - - `cscli` doesn't exist in your $PATH hence can't be called from anywhere. - - You might not have `sudo` permissions to run the command or privileges on the config.yaml file used when running `cscli` or `crowdsec`. + **If the service is not running:** + ```bash + sudo systemctl start crowdsec + sudo systemctl enable crowdsec # Ensure it starts on boot + ``` + + **Check logs for errors:** + ```bash + # View service logs + sudo journalctl -u crowdsec -n 50 + + # Or check log file + less /var/log/crowdsec.log + ``` + + **Common issues:** + - Misconfiguration in `/etc/crowdsec/config.yaml` + - Port conflicts (default: 8080 for LAPI, 6060 for metrics) + - Insufficient permissions to access log files + - Acquisition files format errors + + + + + Check if the container is running: + ```bash + docker ps | grep crowdsec + ``` + + **If not running, check container logs:** + ```bash + docker logs crowdsec + ``` + + **Start/restart the container:** + ```bash + docker start crowdsec + # Or restart + docker restart crowdsec + ``` + + **Common issues:** + - **Volume mount errors**: Ensure `/etc/crowdsec/` and `/var/lib/crowdsec/data/` are properly mounted + - **Missing data volume**: Since v1.7.0, `/var/lib/crowdsec/data/` must be persisted + - **Port conflicts**: Check if 8080 is available on host + - **Log access**: Ensure log volumes are correctly mounted and readable + - **Environment variables**: Verify `COLLECTIONS` and other env vars are set correctly + + **Check container status:** + ```bash + docker inspect crowdsec + ``` + + + + + Check if pods are running: + ```bash + kubectl get pods -n crowdsec + ``` + + You should see LAPI and agent pods in `Running` status. + + **Check pod logs:** + ```bash + # LAPI logs + kubectl logs -n crowdsec -l k8s-app=crowdsec -l type=lapi + + # Agent logs + kubectl logs -n crowdsec -l k8s-app=crowdsec -l type=agent + ``` + + **Describe pod for more details:** + ```bash + kubectl describe pod -n crowdsec + ``` + + **Common issues:** + - **Image pull errors**: Check if the CrowdSec image is accessible + - **RBAC permissions**: Agents need permissions to read pod logs + ```bash + kubectl get clusterrole crowdsec-agent + kubectl get clusterrolebinding crowdsec-agent + ``` + - **PVC issues**: If using persistent volumes, ensure PVCs are bound + ```bash + kubectl get pvc -n crowdsec + ``` + - **ConfigMap errors**: Verify configuration is valid + ```bash + kubectl get configmap -n crowdsec + ``` + - **Network policies**: Ensure pods can communicate with each other + - **Resource limits**: Check if pods have sufficient CPU/memory + + **Restart pods:** + ```bash + kubectl rollout restart deployment/crowdsec-lapi -n crowdsec + kubectl rollout restart daemonset/crowdsec-agent -n crowdsec + ``` + + +
@@ -227,7 +492,18 @@ This connection allows you to: The most direct way to verify connectivity is to see if your instance has already received decisions from the Community Blocklist. 1️⃣ List decisions coming from CAPI - sudo cscli decisions list --origin CAPI + + + + sudo cscli decisions list --origin CAPI + + + docker exec crowdsec cscli decisions list --origin CAPI + + + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli decisions list --origin CAPI + + ☑️ If you see decisions, you're connected and receiving threat intel. @@ -246,23 +522,92 @@ Were all the tests related to your setup successful?
🐞 Connectivity Troubleshooting - Let’s verify your CAPI connection step-by-step. + Let's verify your CAPI connection step-by-step. + + + - Check CAPI status: - sudo cscli capi status + **Check CAPI status:** + ```bash + sudo cscli capi status + ``` - **Should show:** + **Should show:** + - `INFO You can successfully interact with Central API (CAPI)` + - Information about the connectivity config file path + - Enrollment status with CrowdSec Console + + **Common issues:** + - **Missing credentials**: If `online_api_credentials.yaml` is missing: + ```bash + sudo cscli capi register + sudo systemctl reload crowdsec + ``` + - **Firewall blocking**: Ensure outbound access to `api.crowdsec.net` (HTTPS/443) + - **DNS issues**: Verify DNS resolution works: + ```bash + nslookup api.crowdsec.net + ``` + - **Proxy configuration**: If behind a proxy, configure in `/etc/crowdsec/config.yaml` + + + + + **Check CAPI status:** + ```bash + docker exec crowdsec cscli capi status + ``` + + **Should show:** - `INFO You can successfully interact with Central API (CAPI)` - - Along with information about the connectivity config file path and if your Security engine is enrolled in CrowdSec console. - **Common issues include:** - - Missing `online_api_credentials.yaml` in your CrowdSec config directory - - If they don't exist, you can create them by running the command: - sudo cscli capi register - - Firewall rules blocking outbound connections to the CrowdSec Central API (api.crowdsec.net) - - DNS resolution issues. - - Proxy server configuration. - - Connectivity issues within Docker containers. + **Common issues:** + - **No internet from container**: Ensure container can reach external networks + ```bash + docker exec crowdsec ping -c 3 api.crowdsec.net + ``` + - **Missing credentials**: Register if credentials are missing: + ```bash + docker exec crowdsec cscli capi register + docker restart crowdsec + ``` + - **Volume not persisted**: Ensure `/etc/crowdsec/` volume persists the credentials file + - **Network mode**: If using custom networks, verify routing and DNS + - **Proxy issues**: Set `HTTP_PROXY` and `HTTPS_PROXY` environment variables if needed + + + + + **Check CAPI status:** + ```bash + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli capi status + ``` + + **Should show:** + - `INFO You can successfully interact with Central API (CAPI)` + - Enrollment information if configured + + **Common issues:** + - **No external connectivity**: Test from pod: + ```bash + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- ping -c 3 api.crowdsec.net + ``` + - **NetworkPolicy blocking**: Check if NetworkPolicies allow egress to api.crowdsec.net + - **DNS issues**: Verify CoreDNS is working correctly + - **Proxy configuration**: Configure proxy via environment variables in values.yaml: + ```yaml + lapi: + env: + - name: HTTP_PROXY + value: "http://proxy:8080" + - name: HTTPS_PROXY + value: "http://proxy:8080" + ``` + - **PVC not bound**: If credentials aren't persisting, check PVC status + - **Enrollment key**: If using console enrollment, verify `ENROLL_KEY` is set correctly in values.yaml + + +
@@ -291,7 +636,18 @@ OR do it from a device with a different public IP address than the client you're curl api.ipify.org 2️⃣ Add a ban decision for your IP (valid for 1 minute): -sudo cscli decisions add --ip \ --duration 1m --reason "CrowdSec remediation test" + + + + sudo cscli decisions add --ip \ --duration 1m --reason "CrowdSec remediation test" + + + docker exec crowdsec cscli decisions add --ip \ --duration 1m --reason "CrowdSec remediation test" + + + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli decisions add --ip \ --duration 1m --reason "CrowdSec remediation test" + + ⏳ *Wait a few seconds to ensure the decision is processed by the bouncer.* 3️⃣ Try accessing your service (e.g. website, API). from the same public IP address. @@ -318,23 +674,89 @@ You might want to continue to the next recommended steps:
Is your Bouncer Installed and Connected to your Security engine - - - Check bouncers linked to your Security Engine: - sudo cscli bouncers list - You should see: + + + + + **Check bouncers linked to your Security Engine:** + ```bash + sudo cscli bouncers list + ``` + + **You should see:** - The bouncer name - - A tick in the valid column indicating that the bouncer is properly registered and connected to your Security Engine. - - a recent `Last API pull` datasources - - - If your bouncer is not valid or not pulling it might be an issue with the bouncer configuration authentication in its configuration file. - - If you don't see your bouncer listed, you should add it - - You can try to re-register your bouncer with the command: - sudo cscli bouncers add - - Copy the provided token and paste it in your bouncer configuration file. - - Then restart the bouncer service. - - - If your bouncer is on a different machine, ensure it can reach the Security Engine Local API. - - If you are using a bouncer in a container, ensure that the container can reach the Security Engine Local API. + - A ✓ in the valid column indicating proper registration + - A recent `Last API pull` timestamp + + **Common issues:** + - **Bouncer not valid or not pulling**: Check authentication in bouncer config file + - **Bouncer not listed**: Register it: + ```bash + sudo cscli bouncers add my-bouncer-name + ``` + Copy the token and add it to your bouncer's configuration, then restart the bouncer service. + + - **Bouncer on different machine**: Ensure it can reach the LAPI endpoint (default: `http://crowdsec-server:8080`) + - **Firewall blocking**: Verify port 8080 is accessible from bouncer machine + + + + + **Check bouncers linked to your Security Engine:** + ```bash + docker exec crowdsec cscli bouncers list + ``` + + **Common issues:** + - **Bouncer in separate container**: Ensure containers are on the same Docker network + - **LAPI URL**: Bouncer config should point to `http://crowdsec:8080` (using container name) + - **Register bouncer**: You can pre-create bouncer keys using environment variables: + ```yaml + environment: + BOUNCER_KEY_mybouncer: "my-secret-api-key" + ``` + - **Network connectivity**: Test from bouncer container: + ```bash + docker exec my-bouncer ping crowdsec + ``` + + + + + **Check bouncers linked to your Security Engine:** + ```bash + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli bouncers list + ``` + + **Common issues:** + - **Service discovery**: Bouncer should connect to `http://crowdsec-lapi.crowdsec.svc.cluster.local:8080` + - **Register bouncer**: For Kubernetes remediation components (Ingress-Nginx, Traefik): + ```bash + # Generate API key + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli bouncers add k8s-bouncer + + # Or pre-configure in values.yaml + lapi: + env: + - name: BOUNCER_KEY_k8s + value: "your-api-key-here" + ``` + - **Network policies**: Ensure bouncer namespace can reach crowdsec namespace + - **Service accessibility**: Verify the crowdsec-lapi service is accessible: + ```bash + kubectl get svc -n crowdsec crowdsec-lapi + ``` + + **For Ingress Nginx bouncer:** + - Ensure the bouncer has the correct LAPI URL in its ConfigMap + - Check bouncer logs for connection errors: + ```bash + kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controller + ``` + + + +
From 31256d7c096465e70354cc1081458b4e4e126165 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 2 Oct 2025 15:13:52 +0200 Subject: [PATCH 4/9] mentionning hjealth check in troubleshooting intro + nano clean of intro --- .../unversioned/troubleshooting/intro.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/intro.md b/crowdsec-docs/unversioned/troubleshooting/intro.md index d1f5d3dee..3072d0979 100644 --- a/crowdsec-docs/unversioned/troubleshooting/intro.md +++ b/crowdsec-docs/unversioned/troubleshooting/intro.md @@ -4,18 +4,21 @@ id: intro --- :::info -You may see CrowdSec referred to as "Security Engine" and Bouncers referred to as "Remediation Components" within new documentation. This is to better reflect the role of each component within the CrowdSec ecosystem. +You may see the **IDPS/WAF of CrowdSec** referred to as **"Security Engine"** and **Bouncers** referred to as **"Remediation Components"** within new documentation. +This is to better reflect the role of each component within the CrowdSec ecosystem. ::: # Troubleshooting -We have extended our troubleshooting documentation to cover more common issues and questions. If you have any suggestions for this please open an [issue here](https://github.com/crowdsecurity/crowdsec-docs). +We have extended our troubleshooting documentation to cover more common issues and questions. +If you have any suggestions for this please open an [issue here](https://github.com/crowdsecurity/crowdsec-docs). -### [Security Engine Troubleshooting](/troubleshooting/security_engine.mdx) +Also, checkout our 🩺 [**Stack Health-Check page**](/u/getting_started/health_check) to make sure your **Detection**, **Community Sharing** and **Remediation** are working properly -### [Remediation Components Troubleshooting](/troubleshooting/remediation_components.mdx) - -### [CTI Troubleshooting](/troubleshooting/cti.mdx) +Here you'll also find Troubleshooting by topic: +* [Security Engine Troubleshooting](/troubleshooting/security_engine.mdx) +* [Remediation Components Troubleshooting](/troubleshooting/remediation_components.mdx) +* [CTI Troubleshooting](/troubleshooting/cti.mdx) ## Community support From 6fd028d269d9c45cc4c01ddc6807f8f3d9476173 Mon Sep 17 00:00:00 2001 From: jdv Date: Mon, 13 Oct 2025 11:49:30 +0200 Subject: [PATCH 5/9] some changes from PR comments --- .../unversioned/getting_started/health_check.mdx | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index 2ff02abf7..32044df46 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -229,7 +229,7 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam - In Kubernetes, CrowdSec reads logs directly from pods using the Kubernetes API. + In Kubernetes, CrowdSec reads logs from `/var/log/containers` which is mounted into pods by the helm chart. **Configuration is done in your Helm values file:** ```yaml @@ -237,12 +237,12 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam acquisition: - namespace: your-namespace podName: your-pod-* - program: nginx # Must match parser name + program: nginx # Reference used by the FILTER function of your installed parsers ``` **Common issues:** - **Wrong namespace or pod names**: Verify pods exist with `kubectl get pods -n ` - - **Incorrect program name**: The `program` field must match an available parser (nginx, traefik, apache, etc.) + - **Incorrect program name**: The `program` field must match the FILTER of your installed parser (nginx, traefik, apache, etc.) - **Container runtime mismatch**: Set `container_runtime: containerd` or `container_runtime: docker` in values.yaml - **RBAC permissions**: CrowdSec needs permissions to read pod logs. Check with: ```bash @@ -377,11 +377,11 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam **Check logs for errors:** ```bash - # View service logs - sudo journalctl -u crowdsec -n 50 - - # Or check log file + # Start by checking crowdsec logs less /var/log/crowdsec.log + + # Eventually check systemd journal logs + sudo journalctl -u crowdsec -n 50 ``` **Common issues:** @@ -543,7 +543,7 @@ Were all the tests related to your setup successful? sudo cscli capi register sudo systemctl reload crowdsec ``` - - **Firewall blocking**: Ensure outbound access to `api.crowdsec.net` (HTTPS/443) + - **Firewall blocking**: Ensure outbound network access (API endpoints, blocklists, etc.). See [Network Management](https://docs.crowdsec.net/docs/next/configuration/network_management/) for full requirements - **DNS issues**: Verify DNS resolution works: ```bash nslookup api.crowdsec.net From dfcd52d02d2e730792ab0875fb39eb1a03a52d95 Mon Sep 17 00:00:00 2001 From: jdv Date: Mon, 13 Oct 2025 17:32:24 +0200 Subject: [PATCH 6/9] finxing hint about docker and kub --- .../getting_started/health_check.mdx | 80 +++++-------------- 1 file changed, 22 insertions(+), 58 deletions(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index 32044df46..b4903b8d6 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -77,6 +77,7 @@ We'll trigger the dummy scenario `crowdsecurity/ssh-generic-test` by attempting docker exec crowdsec cscli alerts list | grep crowdsecurity/ssh-generic-test + It's uncommon to have to deal with this scenario in Kubernetes, but if you do: kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list | grep crowdsecurity/ssh-generic-test @@ -88,7 +89,7 @@ We'll trigger the dummy scenario `crowdsecurity/ssh-generic-test` by attempting
🛡️ **AppSec** detection test - CrowdSec WAF -If you've enabled an AppSec-capable bouncer with CrowdSec WAF, you can trigger the `crowdsecurity/appsec-generic-test` dummy scenario. +If you've enabled an AppSec-capable bouncer with CrowdSec WAF with the [Virtual Patching collection](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching), you can trigger the `crowdsecurity/appsec-generic-test` dummy scenario. It would have triggered along with the HTTP detection test, but it is worth mentioning here as well. We'll trigger the dummy scenario `crowdsecurity/appsec-generic-test` by accessing a **probe path** on your web server. @@ -152,11 +153,9 @@ Were all the tests related to your setup successful? docker exec crowdsec cscli metrics show acquisition parsers - {`# For LAPI pod -kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli metrics show acquisition parsers - -# For all agent pods -for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o name); do kubectl exec -n crowdsec -it $i -- cscli metrics show acquisition parsers; done`} + + for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o name); do kubectl exec -n crowdsec -it $i -- cscli metrics show acquisition parsers; done + @@ -208,22 +207,19 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam In Docker, logs must be accessible to the container through volumes. **Common issues:** - - **Missing volume mounts**: Ensure log directories are mounted in your container. + - **Missing volume mounts** & **Shared log volumes**: Ensure log directories are mounted in your container and available in multi-container setup. + Example if your service logs are in `/var/log` on the host or in a `logs` shared volume: ```yaml volumes: - - /var/log:/var/log:ro # Mount logs as read-only + - /var/log:/var/log:ro # Example for mounting logs as read-only + - logs:/logs:ro # Example for shared log volume between containers ``` - - **Acquisition configuration**: Your `acquis.yaml` should reference paths inside the container. + - **Acquisition configuration**: Your `acquis.yaml` or `acquis.d/*.yaml` files should reference paths inside the container. - **Log file permissions**: CrowdSec container user must have read access to log files. - - **Shared log volumes**: For multi-container setups, ensure logs are written to a shared named volume: - ```yaml - volumes: - - logs:/var/log/nginx # Shared volume for logs - ``` **To check your acquisition config:** ```bash - docker exec crowdsec cat /etc/crowdsec/acquis.yaml + docker exec crowdsec cat /etc/crowdsec/acquis.yaml # or acquis.d/*.yaml ``` @@ -244,11 +240,6 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam - **Wrong namespace or pod names**: Verify pods exist with `kubectl get pods -n ` - **Incorrect program name**: The `program` field must match the FILTER of your installed parser (nginx, traefik, apache, etc.) - **Container runtime mismatch**: Set `container_runtime: containerd` or `container_runtime: docker` in values.yaml - - **RBAC permissions**: CrowdSec needs permissions to read pod logs. Check with: - ```bash - kubectl auth can-i list pods --as=system:serviceaccount:crowdsec:crowdsec-agent - kubectl auth can-i get pods/log --as=system:serviceaccount:crowdsec:crowdsec-agent - ``` **Note:** Unlike standalone deployments, you use `program:` instead of `type:` in Kubernetes acquisitions. @@ -292,7 +283,7 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam - In Docker, collections must be installed via the `COLLECTIONS` environment variable or manually. + In Docker, collections must be installed via the `COLLECTIONS` environment variable. **🔍 To check what's currently installed:** ```bash @@ -301,22 +292,11 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam **📥 Install collections:** - **Method 1: Environment variable (recommended)** ```yaml environment: COLLECTIONS: "crowdsecurity/nginx crowdsecurity/linux" ``` - Then restart the container. - - **Method 2: Manual installation** - ```bash - docker exec crowdsec cscli collections install crowdsecurity/nginx - docker restart crowdsec - ``` - - **Common issues:** - - Collections not persisting: Ensure `/etc/crowdsec/` is mounted as a volume - - Collections installed but not working: Restart the container after installation + Then **restart the container**. @@ -325,7 +305,7 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam **🔍 To check what's currently installed:** ```bash - kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli collections list + for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o name); do kubectl exec -n crowdsec -it $i -- cscli collections list; done ``` **📥 Install collections:** @@ -343,11 +323,6 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam helm upgrade crowdsec crowdsec/crowdsec -n crowdsec -f values.yaml ``` - **Common issues:** - - Collections must match your acquisition `program:` field - - Each agent pod processes different logs, verify on the right pod - - LAPI doesn't need collections, only agents do - @@ -403,12 +378,7 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam docker logs crowdsec ``` - **Start/restart the container:** - ```bash - docker start crowdsec - # Or restart - docker restart crowdsec - ``` + **Make sure your container starts without error** **Common issues:** - **Volume mount errors**: Ensure `/etc/crowdsec/` and `/var/lib/crowdsec/data/` are properly mounted @@ -447,27 +417,21 @@ for i in $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=agent -o nam ``` **Common issues:** - - **Image pull errors**: Check if the CrowdSec image is accessible - - **RBAC permissions**: Agents need permissions to read pod logs + - **ConfigMap errors**: Verify configuration is valid ```bash - kubectl get clusterrole crowdsec-agent - kubectl get clusterrolebinding crowdsec-agent + kubectl get configmap -n crowdsec ``` + - **Resource limits**: Check if pods have sufficient CPU/memory + - **Network policies**: Ensure pods can communicate with each other - **PVC issues**: If using persistent volumes, ensure PVCs are bound ```bash kubectl get pvc -n crowdsec ``` - - **ConfigMap errors**: Verify configuration is valid - ```bash - kubectl get configmap -n crowdsec - ``` - - **Network policies**: Ensure pods can communicate with each other - - **Resource limits**: Check if pods have sufficient CPU/memory + - **Image pull errors**: Check if the CrowdSec image is accessible, could happen if you have registry conflicts - **Restart pods:** + **Upgrade your Helm** ```bash - kubectl rollout restart deployment/crowdsec-lapi -n crowdsec - kubectl rollout restart daemonset/crowdsec-agent -n crowdsec + helm upgrade crowdsec crowdsec/crowdsec -n crowdsec -f values.yaml ``` From 73589ff8500adf2997af0c3d164b6772401ee755 Mon Sep 17 00:00:00 2001 From: jdv Date: Tue, 14 Oct 2025 21:14:49 +0200 Subject: [PATCH 7/9] finalizing fixes --- .../getting_started/health_check.mdx | 70 ++++++------------- 1 file changed, 20 insertions(+), 50 deletions(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index b4903b8d6..0224684ac 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -442,38 +442,36 @@ Were all the tests related to your setup successful? ## 🔌 CrowdSec Connectivity checks -### Is your Security Engine receiving community blocklists? +### *Check CAPI status* -Let’s confirm that your Security Engine can communicate with the CrowdSec Central API (CAPI). +Let's confirm that your Security Engine can communicate with the CrowdSec Central API (CAPI). This connection allows you to: - Receive **Community Blocklists** -- curated IPs flagged as malicious by the global CrowdSec network. - Receive additional Blocklists of your choice among the ones available to you. - Contribute back -- sharing detected Malicious IPs triggering installed scenarios.
- 🔌 CrowdSec Central API connectivity + 🔌 CrowdSec Central API connectivity test - The most direct way to verify connectivity is to see if your instance has already received decisions from the Community Blocklist. - - 1️⃣ List decisions coming from CAPI + Check your CAPI connection status: - sudo cscli decisions list --origin CAPI + sudo cscli capi status - docker exec crowdsec cscli decisions list --origin CAPI + docker exec crowdsec cscli capi status - kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli decisions list --origin CAPI + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli capi status - ☑️ If you see decisions, you're connected and receiving threat intel. + ☑️ You should see: `INFO You can successfully interact with Central API (CAPI)` **Notes:** - - On a fresh install, it might take a few minutes before any decisions appear. - - Restarting the CrowdSec service will force it to perform a first pull. + - On a fresh install, credentials might need to be registered (see troubleshooting below). + - The output also shows information about the connectivity config file path and enrollment status with CrowdSec Console.
### Were all the tests successful ? @@ -486,21 +484,11 @@ Were all the tests related to your setup successful?
🐞 Connectivity Troubleshooting - Let's verify your CAPI connection step-by-step. + If the CAPI status check fails, here are the most common issues and solutions: - **Check CAPI status:** - ```bash - sudo cscli capi status - ``` - - **Should show:** - - `INFO You can successfully interact with Central API (CAPI)` - - Information about the connectivity config file path - - Enrollment status with CrowdSec Console - **Common issues:** - **Missing credentials**: If `online_api_credentials.yaml` is missing: ```bash @@ -517,14 +505,6 @@ Were all the tests related to your setup successful? - **Check CAPI status:** - ```bash - docker exec crowdsec cscli capi status - ``` - - **Should show:** - - `INFO You can successfully interact with Central API (CAPI)` - **Common issues:** - **No internet from container**: Ensure container can reach external networks ```bash @@ -542,15 +522,6 @@ Were all the tests related to your setup successful? - **Check CAPI status:** - ```bash - kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli capi status - ``` - - **Should show:** - - `INFO You can successfully interact with Central API (CAPI)` - - Enrollment information if configured - **Common issues:** - **No external connectivity**: Test from pod: ```bash @@ -693,22 +664,21 @@ You might want to continue to the next recommended steps: ``` **Common issues:** - - **Service discovery**: Bouncer should connect to `http://crowdsec-lapi.crowdsec.svc.cluster.local:8080` - - **Register bouncer**: For Kubernetes remediation components (Ingress-Nginx, Traefik): + - **Service discovery**: Bouncer should connect to `http://crowdsec-service.crowdsec.svc.cluster.local:8080` + - **Register bouncer**: ```bash - # Generate API key - kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli bouncers add k8s-bouncer - - # Or pre-configure in values.yaml + # Generate API key with a tool of your choice + # Then fill the values.yaml accordingly to dictates the bouncer name and api key use for this communication with LAPI + # values.yaml lapi: env: - - name: BOUNCER_KEY_k8s - value: "your-api-key-here" + - name: BOUNCER_KEY_ + value: "api-key-you-want-this-bouncer-to-use" ``` - **Network policies**: Ensure bouncer namespace can reach crowdsec namespace - - **Service accessibility**: Verify the crowdsec-lapi service is accessible: + - **Service accessibility**: Verify the LAPI, named `crowdsec-service` is accessible: ```bash - kubectl get svc -n crowdsec crowdsec-lapi + kubectl get svc -n crowdsec crowdsec-service ``` **For Ingress Nginx bouncer:** From 6aab2bfcc55ecf2817777c5b1957e89cb0f46666 Mon Sep 17 00:00:00 2001 From: jdv Date: Tue, 14 Oct 2025 21:23:14 +0200 Subject: [PATCH 8/9] final fix --- .../getting_started/health_check.mdx | 40 ++++++++++++------- .../getting_started/introduction.mdx | 4 ++ 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index 0224684ac..fcb3bf671 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -11,10 +11,10 @@ import CodeBlock from '@theme/CodeBlock'; Health Check Version: 0.2.0 -Welcome to the interactive Health-Check of your CrowdSec setup. -We'll guide you through a series of tests to ensure that your Security Stack is fully functional and ready to protect your services: -**Detecting**, **Threat Sharing** and **Remediating**. -*This guide covers cases of protecting common services such as web servers (HTTP) and SSH.* +Welcome to the interactive Health-Check of your CrowdSec setup. +We'll guide you through a series of tests to ensure that your Security Stack is fully functional and ready to protect your services: +**Detecting**, **Threat Sharing** and **Remediating**. +*This guide covers cases of protecting common services such as web servers (HTTP) and SSH.* We'll first test the final functionality of each component (top-down approach) before diving into detailed troubleshooting if issues arise. @@ -23,6 +23,10 @@ This health check is divided into three main sections: - [**🔗 Connectivity**](#-crowdsec-connectivity-checks): Verifying communication with the CrowdSec network to receive the community blocklist. - [**🛡️ Protection**](#-remediation-checks): Confirming that your bouncers automatically block threats detected by CrowdSec +:::tip Your feedback matters! +Help us improve this health check guide by sharing your experience: [📝 **Health Check Feedback Form** ↗️](https://forms.gle/DJboC7oisjmA8qt78) +::: + * * * ## 📡 Detection checks @@ -53,9 +57,10 @@ We'll trigger the dummy scenario `crowdsecurity/http-generic-test` by accessing -**Notes:** -- Requests from private IP addresses won't trigger alerts (private IPs are whitelisted by default). - - You can also test via a browser if easier, especially from another device. +**Notes:** +- ⚠️ **Important**: Requests from **private IP addresses won't trigger alerts** (private IPs are whitelisted by default). + - If testing from localhost or your internal network (192.168.x.x, 10.x.x.x, 172.16.x.x), the test will fail. + - **Solution**: Test from an external device with a public IP address, or test via a browser from your phone using mobile data. - This scenario can be triggered again only after a 5-minutes delay.
@@ -328,7 +333,16 @@ Were all the tests related to your setup successful? **⚠️ Log format mismatch:** - If your logs don't follow the expected format (e.g., they've been customized), CrowdSec might not parse them properly. - - You can find more information on how to create your own parsers in the [CrowdSec documentation](https://doc.crowdsec.net/docs/next/log_processor/parsers/format). + - **Check which log format the Hub parser expects:** + - Each parser on the Hub documents the expected log format. For example: + - [**NGINX parser** ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/nginx-logs) expects the default combined log format + - [**Apache parser** ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/apache2-logs) expects the standard combined format + - Compare your actual log format with the expected format to identify mismatches + - **For custom log formats:** + - **Example**: If you use a custom NGINX log format like `log_format custom '$remote_addr - $request - $status';`, you'll need a custom parser + - Use the [**CrowdSec Playground** ↗️](https://playground.crowdsec.net/) to test and develop your parsers interactively + - The playground lets you test GROK patterns, parsers, and scenarios in real-time before deploying them + - Full guide on creating parsers: [CrowdSec Parser Documentation](https://doc.crowdsec.net/docs/next/log_processor/parsers/format)
@@ -694,10 +708,8 @@ You might want to continue to the next recommended steps: -## 💬 Your feedback is important! - -Help us improve this health check guide! -Give us feedback via this form: [📝 Health Check Feedback Form ↗️](https://forms.gle/DJboC7oisjmA8qt78) +## 💬 Get Help & Give Feedback -[📨 Open an issue on GitHub ↗️](https://github.com/crowdsecurity/crowdsec-docs/issues/new) or -🗣️ Join the conversation on [Discord ↗️](https://discord.gg/wGN7ShmEE8) \ No newline at end of file +- 📝 [Health Check Feedback Form ↗️](https://forms.gle/DJboC7oisjmA8qt78) +- 📨 [Open an issue on GitHub ↗️](https://github.com/crowdsecurity/crowdsec-docs/issues/new) +- 🗣️ [Join us on Discord ↗️](https://discord.gg/wGN7ShmEE8) \ No newline at end of file diff --git a/crowdsec-docs/unversioned/getting_started/introduction.mdx b/crowdsec-docs/unversioned/getting_started/introduction.mdx index 1a3886def..c3f885fca 100644 --- a/crowdsec-docs/unversioned/getting_started/introduction.mdx +++ b/crowdsec-docs/unversioned/getting_started/introduction.mdx @@ -81,6 +81,10 @@ CrowdSec Security Engine uses the following default ports (bound to localhost/lo * 6060/tcp: Prometheus metrics port * 8080/tcp: API port +## Next Steps + +After installing CrowdSec, use our **[interactive Health-Check guide](health_check.mdx)** to verify your setup is working correctly. It will walk you through testing detection, connectivity, and remediation to ensure your Security Stack is fully functional. + ## Resources From 3e468467e0f8deae5a25c5d75d7877eb0c925f30 Mon Sep 17 00:00:00 2001 From: jdv Date: Fri, 17 Oct 2025 10:21:07 +0200 Subject: [PATCH 9/9] using -s option to grep scenario from alert list --- .../getting_started/health_check.mdx | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/crowdsec-docs/unversioned/getting_started/health_check.mdx b/crowdsec-docs/unversioned/getting_started/health_check.mdx index fcb3bf671..40d576d92 100644 --- a/crowdsec-docs/unversioned/getting_started/health_check.mdx +++ b/crowdsec-docs/unversioned/getting_started/health_check.mdx @@ -47,13 +47,13 @@ We'll trigger the dummy scenario `crowdsecurity/http-generic-test` by accessing - sudo cscli alerts list | grep crowdsecurity/http-generic-test + sudo cscli alerts list -s crowdsecurity/http-generic-testss - docker exec crowdsec cscli alerts list | grep crowdsecurity/http-generic-test + docker exec crowdsec cscli alerts list -s crowdsecurity/http-generic-test - kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list | grep crowdsecurity/http-generic-test + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list -s crowdsecurity/http-generic-test @@ -76,14 +76,14 @@ We'll trigger the dummy scenario `crowdsecurity/ssh-generic-test` by attempting - sudo cscli alerts list | grep crowdsecurity/ssh-generic-test + sudo cscli alerts list -s crowdsecurity/ssh-generic-test - docker exec crowdsec cscli alerts list | grep crowdsecurity/ssh-generic-test + docker exec crowdsec cscli alerts list -s crowdsecurity/ssh-generic-test It's uncommon to have to deal with this scenario in Kubernetes, but if you do: - kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list | grep crowdsecurity/ssh-generic-test + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list -s crowdsecurity/ssh-generic-test @@ -106,13 +106,13 @@ We'll trigger the dummy scenario `crowdsecurity/appsec-generic-test` by accessin - sudo cscli alerts list | grep crowdsecurity/appsec-generic-test + sudo cscli alerts list -s crowdsecurity/appsec-generic-test - docker exec crowdsec cscli alerts list | grep crowdsecurity/appsec-generic-test + docker exec crowdsec cscli alerts list -s crowdsecurity/appsec-generic-test - kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list | grep crowdsecurity/appsec-generic-test + kubectl exec -n crowdsec -it $(kubectl get pods -n crowdsec -l k8s-app=crowdsec -l type=lapi -o name) -- cscli alerts list -s crowdsecurity/appsec-generic-test