Troubleshooting Remediation Components

Community support

Please try to resolve your issue by reading the documentation. If you're unable to find a solution, don't hesitate to seek assistance in:

{component} is used as a placeholder for the name of the component you are using. For example crowdsec-firewall-bouncer for the firewall bouncer.

Health

How to check the status

Linux/Freebsd
Windows

sudo systemctl status {component}

Get-Service {component}

Configuration

Where is configuration stored?

Configuration files by default are located in:

Linux /etc/crowdsec/bouncers/
Freebsd /usr/local/etc/crowdsec/bouncers/
Windows C:\ProgramData\CrowdSec\bouncers\

Logs

Where are the logs stored?

By default Remediation components will log to the following locations depending on platform:

Linux /var/log/{component}.log
Freebsd /var/log/{component}.log
- Opnsense /var/log/crowdsec/{component}.log
- Pfsense /var/log/crowdsec/{component}.log
Windows C:\ProgramData\CrowdSec\log\{component}.log

Filtering logs to only show errors

Use OS-specific commands to filter logs and show only errors.

Linux/Freebsd
Windows

sudo grep -E "level=(error|fatal)" /var/log/{component}.log

Powershell
CMD

Select-String "level=(error|fatal)" C:\ProgramData\CrowdSec\log\{component}.log

findstr "level=error level=fatal" C:\ProgramData\CrowdSec\log\{component}.log

Please make sure the log location matches your distribution.

My Remediation Component shows no errors in its log file but still fails to start/work

This usually means the bouncer cannot parse its configuration file. To identify the failing line, use systemd/journalctl:

sudo systemctl status <bouncer-service-name> -l

sudo journalctl -u <bouncer-service-name> -l

Common Issues

Cannot connect to the local API

error message might look like:

level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: connection refused"

solution verify that the local API runs on the logged IP and port. If the logged IP/port is incorrect, edit the bouncer configuration file. If it is correct, verify that the local API is running.

Cannot authenticate to the local API

error message might look like:

time="19-04-2022 15:43:07" level=error msg="API error: access forbidden"

solution regenerate the API key via cscli bouncers and replace the old one in the bouncer configuration file. Do not reuse the same key name.

Community support​

Health​

How to check the status​

Configuration​

Where is configuration stored?​

Logs​

Where are the logs stored?​

Filtering logs to only show errors​

My Remediation Component shows no errors in its log file but still fails to start/work​

Common Issues​

Cannot connect to the local API​

Cannot authenticate to the local API​