#metrics not showing in webapp

hey, I just set up crowdsec with traefik and enrolled to the crowdsec webapp. there are no alerts showing up, but cscli metrics shows some scans etc. does it take some time to show them or did I set up something wrong. not sure. any help is appreciated.
(I tested with manual ip ban rules that crowdsec works)

/ # cscli version
version: v1.7.0-c3036e21
Codename: alphaga
BuildDate: 2025-09-03_12:09:23
GoVersion: 1.24.6
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.7.0-c3036e21-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

Hello,

We have identified an issue where the display of alerts in the console is delayed, we are working on a fix

thank you for your reply. what's the time definition of delayed? I still don't see any alerts and it has been running for over 12 hours

from what we saw, around 2h
but we are still investigating the exact cause
could you paste the output of cscli alerts list ?

/ # cscli alerts list
╭────┬────────────────────┬───────────────────────────────┬─────────┬────┬───────────┬──────────────────────╮
│ ID │        value       │             reason            │ country │ as │ decisions │      created_at      │
├────┼────────────────────┼───────────────────────────────┼─────────┼────┼───────────┼──────────────────────┤
│ 16 │ Ip:xxx.xxx.xxx.178 │ manual 'ban' from 'localhost' │         │    │ ban:1     │ 2025-10-17T07:46:14Z │
│ 15 │ Ip:xxx.xxx.xxx.178 │ manual 'ban' from 'localhost' │         │    │ ban:1     │ 2025-10-17T07:32:29Z │
│ 14 │ Ip:xxx.xxx.xxx.178 │ manual 'ban' from 'localhost' │         │    │ ban:1     │ 2025-10-17T07:31:28Z │
│ 4  │ Ip:xxx.xxx.xxx.178 │ test                          │         │    │ ban:1     │ 2025-10-16T13:43:26Z │
│ 3  │ Ip:xxx.xxx.xxx.178 │ test block                    │         │    │ ban:1     │ 2025-10-16T12:47:38Z │
│ 2  │ Ip:xxx.xxx.xxx.148 │ test block                    │         │    │ ban:1     │ 2025-10-16T12:46:59Z │
│ 1  │ Ip:1.2.3.4         │ manual test                   │         │    │ ban:1     │ 2025-10-16T12:42:37Z │
╰────┴────────────────────┴───────────────────────────────┴─────────┴────┴───────────┴──────────────────────╯

We found the issue, the delay is actually a bit "luck based" (tl;dr: we treat signals users send in batch, and we had some signals that contained data that was not properly handled by the console, which led to the entire batch being dropped. The system will retry automatically, but whether your data was inserted is dependant on the entire batch being "clean", so it can take a lot of retries)

I am not sure if my traefik container picks up the logs correctly from traefik. is there a way to check this? The volumes are mounted correct

cscli metrics should tell you if the logs are read/parsed properly (1st table)

You can also do cscli machines list to get the name of the log processor, then cscli machines inspect <name> to get more detailled information about what is read/what is parsed

/ # cscli metrics
╭───────────────────────────────────────────╮
│ Local API Decisions                       │
├─────────────────┬────────┬────────┬───────┤
│ Reason          │ Origin │ Action │ Count │
├─────────────────┼────────┼────────┼───────┤
│ generic:scan    │ CAPI   │ ban    │ 805   │
│ http:bruteforce │ CAPI   │ ban    │ 6419  │
│ http:crawl      │ CAPI   │ ban    │ 2871  │
│ http:exploit    │ CAPI   │ ban    │ 1084  │
│ http:scan       │ CAPI   │ ban    │ 811   │
│ ssh:bruteforce  │ CAPI   │ ban    │ 2467  │
│ ssh:exploit     │ CAPI   │ ban    │ 529   │
╰─────────────────┴────────┴────────┴───────╯
╭────────────────────────────────────╮
│ Local API Metrics                  │
├────────────────────┬────────┬──────┤
│ Route              │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/alerts         │ GET    │ 1    │
│ /v1/decisions      │ GET    │ 3    │
│ /v1/heartbeat      │ GET    │ 3    │
│ /v1/usage-metrics  │ POST   │ 1    │
│ /v1/watchers/login │ POST   │ 2    │
╰────────────────────┴────────┴──────╯
...

...
╭─────────────────────────────────────────────────╮
│ Local API Bouncers Metrics                      │
├─────────────────┬───────────────┬────────┬──────┤
│ Bouncer         │ Route         │ Method │ Hits │
├─────────────────┼───────────────┼────────┼──────┤
│ traefik-bouncer │ /v1/decisions │ GET    │ 3    │
╰─────────────────┴───────────────┴────────┴──────╯
╭─────────────────────────────────────────────────────╮
│ Local API Bouncers Decisions                        │
├─────────────────┬───────────────┬───────────────────┤
│ Bouncer         │ Empty answers │ Non-empty answers │
├─────────────────┼───────────────┼───────────────────┤
│ traefik-bouncer │ 3             │ 0                 │
╰─────────────────┴───────────────┴───────────────────╯
╭───────────────────────────────────────────╮
│ Local API Machines Metrics                │
├───────────┬───────────────┬────────┬──────┤
│ Machine   │ Route         │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/alerts    │ GET    │ 1    │
│ localhost │ /v1/heartbeat │ GET    │ 3    │
╰───────────┴───────────────┴────────┴──────╯

ah
so yeah, nothing is read

(the section will not exist until at least one line has been read)

the decisions you see are from the community blocklist

understood

can you show the content of your acquisition configuration ?

that's probably what I am missing

you are talking about the acquis.d folder?

if yes, it is empty -> I don't have one

ah, nvm.

{"source": "file", "filename": "/does/not/exist", "labels": {"type": "syslog"}}```

this one is a placeholder when running crowdsec in docker

you need to create a new one in acquis.d to read your traefik logs

for example, assuming traefik logs are mounted in /logs in the crowdsec container:

source: file
filenames:
 - /logs/*.log
labels:
 type: traefik

Mount this in /etc/crowdsec/acquis.d/traefik.yaml and it should be good

I created /etc/crowdsec/acquis.d/traefik.yaml

source: file
filenames:
 - /logs/traefik/*.log
labels:
 type: traefik

my docker volume for the logs:

-v '/mnt/user/appdata/docker/pangolin/config/traefik/':'/logs/traefik':'ro'

and you also need to make sure the crowdsecurity/traefik collection is installed in the container (add it in the COLLECTIONS env var)

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                             │
├───────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                                │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/logs/traefik/traefik_access.log │ 26         │ 26           │ -              │ 3                      │ -                 │
╰───────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

cool 🙂

this is already the case

@ashen grotto why is only traefik_access.log picked up and not the traefik.log

/logs/traefik # ls -l
total 7540
-rw-------    1 99       users         2935 Oct 17 11:12 dynamic_config.yml
-rw-r--r--    1 root     root         27885 Oct 16 15:45 resource-overrides.yml
-rw-r--r--    1 root     root         18670 Oct 17 11:12 traefik.log
-rw-r--r--    1 root     root       7655552 Oct 17 11:33 traefik_access.log
-rw-r--r--    1 root     root          1442 Oct 16 17:08 traefik_config.yml
-rw-r--r--    1 root     root          1175 Oct 16 13:51 traefik_config.yml.bak.20251016135121

and btw. thank you very much for your help. it is much appreciated 🫶

a file will only appear in metrics after at least one line has been written to it since crowdsec start

so it will appear eventually?

if something gets written to it, yes

ah, now those got blocked from traefik:

╭───────┬──────────┬──────────────────┬───────────────────────────────────────┬────────┬─────────┬──────────────────────────────────┬────────┬────────────┬──────────╮
│   ID  │  Source  │    Scope:Value   │                 Reason                │ Action │ Country │                AS                │ Events │ expiration │ Alert ID │
├───────┼──────────┼──────────────────┼───────────────────────────────────────┼────────┼─────────┼──────────────────────────────────┼────────┼────────────┼──────────┤
│ 15000 │ crowdsec │ Ip:125.17.108.32 │ crowdsecurity/thinkphp-cve-2018-20062 │ ban    │ IN      │ 9498 BHARTI Airtel Ltd.          │ 1      │ 3h58m55s   │ 5        │
│ 14997 │ crowdsec │ Ip:20.65.195.33  │ crowdsecurity/CVE-2022-41082          │ ban    │ US      │ 8075 MICROSOFT-CORP-MSN-AS-BLOCK │ 1      │ 3h54m12s   │ 2        │
╰───────┴──────────┴──────────────────┴───────────────────────────────────────┴────────┴─────────┴──────────────────────────────────┴────────┴────────────┴──────────╯

I also have geoblock enabled. does it make sense to have crowdsec before or after geoblock?

both are fine
Geoblock after crowdsec will log more alerts, which means more information about what is actually happening
Geoblock before will drop IPs you don't want to see anyway, so you don't actually care about what they're doing

Resolving metrics not showing in webapp

This has now been resolved. If you think this is a mistake please run /unresolve

Unresolving metrics not showing in webapp

This has now been unresolved.

I just noticed that I get banned if I click around in the traefik web UI for http-crawl-non_statics, do I really have to whitelist my IP? why is it doing that?

crawl non static will trigger if you make too many requests in a short timeframe (roughly anything more than 40 requests in 20seconds on average)

you can see more details about what caused that by running cscli alerts list to get the alert id and then cscli alerts inspect -d <alert_id>

whitelisting your own IP is probably the easiest way to workaround this

in the container, you can run:

cscli allowlists create myallowlist -d 'some description'
cscli allowlists add myallowlist YOUR_IP

no need to restart, it will be automatically used by crowdsec, and any existing decisions on your IP will be automatically removed

thank you. I was doing stuff locally, why did it ban my ISPs IP?

(I am using pangolin as a reverse proxy, no tunnels. and obv. traefik)

crowdsec bans the IP it sees in the logs, so this means you somehow hit it from your public IP even if it runs on your LAN (eg, you accessed the service from a domain that resolves to your public IP)

CrowdSec will ban IPs it sees in your logs that are seen doing malicious events. It's not some magical system that somehow knows this address is your ISP or your home address.

We provide ample documentation on white/allow listing https://docs.crowdsec.net/u/getting_started/post_installation/whitelists

I get that, but why is it not detecting me as a local ip? Sorry for this stupid question. Is it because of the reverse proxy?