The cscli alerts inspect id command does not show the true Remediation status | CrowdSec | Page 1

strong elm Dec 22, 2025, 8:59 PM

#

Hi,
I have this problem. The cscli alerts list command shows alerts, but everywhere it displays Remediation: false.
However, in the npmplus logs I have:

2025/12/22 21:32:33 [alert] 1840#1840: *1501 [lua] crowdsec.lua:642: Allow(): [Crowdsec] denied 'xxx.xx.xxx.xx' with 'ban' (by appsec), client: xxx.xx.xxx.xx, server: mapu.test, request: "GET /sqli_1.php?title=0%27+union+select+all+1%2C+concat%28id%2Clogin%29%2Cpassword%2Cemail%2Csecret%2C6%2C7+from+users+%23%3B&action=search HTTP/1.1", host: "mapu.test", referrer: "http://mapu.test/sqli_1.php?title=1%27+or+1%3D1%23&action=search"
2025/12/22 21:32:33 [alert] 1840#1840: *1501 [lua] crowdsec.lua:642: Allow(): [Crowdsec] denied 'xxx.xx.xxx.xx' with 'ban' (by appsec), client: xxx.xx.xxx.xx, server: mapu.test, request: "GET /favicon.ico HTTP/1.1", host: "mapu.test", referrer: "http://mapu.test/sqli_1.php?title=0%27+union+select+all+1%2C+concat%28id%2Clogin%29%2Cpassword%2Cemail%2Csecret%2C6%2C7+from+users+%23%3B&action=search"

So it's clear from this that the request was blocked.
Why doesn't the cscli alerts inspect id command show correctly whether the request was blocked?

docker exec -it crowdsec cscli alerts inspect 166

 - ID           : 166
 - Date         : 2025-12-22T20:32:34Z
 - Machine      : localhost
 - Simulation   : false
 - Remediation  : false
 - Reason       : anomaly score block: sql_injection: 55, anomaly: 55,
 - Events Count : 8
....

docker exec -it crowdsec cscli alerts inspect 167

 - ID           : 167
 - Date         : 2025-12-22T20:32:34Z
 - Machine      : localhost
 - Simulation   : false
 - Remediation  : false
 - Reason       : anomaly score block: sql_injection: 5, anomaly: 5,
 - Events Count : 4

Can something be done so that the cscli alerts inspect id command shows whether a given request was actually blocked? I'd like to be able to check everything quickly from one place, instead of searching for that request in npmplus logs later.

ashen sparrowBOT Dec 22, 2025, 8:59 PM

#

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

strong elm Dec 22, 2025, 9:03 PM

#

#

The cscli alerts inspect id command does not show the true Remediation status

#The cscli alerts inspect id command does not show the true Remediation status