Security Engine No Active Remediation Component
The Security Engine No Active Remediation Component issue appears when a Security Engine has Remediation Components (bouncers) registered, but none of them have sent a heartbeat in the past 24 hours.
Registered but inactive Remediation Components mean your Security Engine's decisions are not being enforced โ attackers are detected but never blocked.
What Triggers This Issueโ
- Trigger condition: All registered Remediation Components have been inactive for 24+ hours
- Criticality: ๐ฅ Critical
- Impact: Security Engine decisions are not being enforced โ no active blocking is taking place.
Common Root Causesโ
- Configuration file errors: The RC's configuration file has incorrect settings, preventing it from starting or connecting.
- Invalid credentials: The API key in the RC configuration is wrong, expired, or was regenerated.
- Security Engine not accessible: The RC cannot reach the Security Engine's Local API (LAPI).
- RC service not running: The bouncer process or module is stopped or crashed.
- Other RC-specific issues: Dependency, permission, or integration-specific problems.
Diagnosis & Resolutionโ
Configuration file errorsโ
๐ Locate and inspect the RC configuration fileโ
Configuration files are typically found at:
/etc/crowdsec/bouncers/crowdsec-<bouncer-name>-bouncer.yaml
or .conf for older bouncers. Check your specific RC documentation for the exact path.
Open the file and verify the following fields are present and correctly set:
api_url: the address of your Security Engine's LAPI (e.g.http://127.0.0.1:8080)api_key: a valid API key generated withcscli bouncers add
Properties may change slightly, check the specific configuration for your bouncer
๐ ๏ธ Fix the configuration and restart the RCโ
After editing the configuration file, restart the RC service to apply changes:
sudo systemctl restart crowdsec-<bouncer-name>-bouncer
Check the RC logs for startup errors:
sudo journalctl -u crowdsec-<bouncer-name>-bouncer --since "10 minutes ago"
Invalid credentialsโ
๐ Verify the API key is validโ
The API key in the RC's configuration must match a key registered on the Security Engine. Check currently registered bouncers and their keys:
sudo cscli bouncers list
If the key was regenerated or the bouncer was re-added, the old key is no longer valid.
๐ ๏ธ Generate a new API key and update the RCโ
- Remove the stale bouncer registration (if needed):
sudo cscli bouncers delete <bouncer-name>
- Generate a new key:
sudo cscli bouncers add <bouncer-name>
- Copy the generated API key into the RC's configuration file (
api_keyfield) - Restart the RC service
Security Engine not accessibleโ
The RC must be able to reach the Security Engine's LAPI. This can fail due to network changes, firewall rules, or a LAPI bind address that only listens on localhost.
๐ Test connectivity from the RC hostโ
# Replace with your actual LAPI address and port
curl -s http://127.0.0.1:8080/health
A healthy LAPI returns {"status":"up"}. Anything else indicates a connectivity or LAPI issue.
๐ Check the LAPI listen addressโ
sudo grep -i "listen_uri" /etc/crowdsec/config.yaml
If listen_uri is set to 127.0.0.1:8080 and the RC runs on a different host, it won't be reachable.
๐ ๏ธ Fix LAPI accessibilityโ
- If the RC is on the same host: verify
api_urlin the RC config useshttp://127.0.0.1:8080 - If the RC is on a different host: update
listen_uriin/etc/crowdsec/config.yamlto bind to the correct interface, ensure firewall rules allow the connection, and updateapi_urlin the RC config accordingly
See Network Management documentation for required endpoints.
RC service not runningโ
๐ Check the RC service statusโ
sudo systemctl status crowdsec-<bouncer-name>-bouncer
Look for error messages in the output. If the service is failed or inactive, check the logs:
sudo journalctl -u crowdsec-<bouncer-name>-bouncer -n 50
๐ ๏ธ Start the RC service and address errorsโ
sudo systemctl start crowdsec-<bouncer-name>-bouncer
sudo systemctl enable crowdsec-<bouncer-name>-bouncer
If the service fails to start, the logs will typically indicate the root cause (missing config, invalid key, unreachable LAPI, etc.).
Other RC-specific issuesโ
Beyond the common causes above, each RC type has its own specific failure modes. Refer to the relevant documentation for deeper troubleshooting:
- Missing system dependencies (e.g. Lua packages for the Nginx bouncer): see Nginx Bouncer
- Web server module not loaded (Nginx, Apache, HAProxy): see the respective RC documentation pages
- Elevated privilege requirements (Firewall bouncer needing root to manage nftables/iptables): see Firewall Bouncer
- External service credentials (Cloudflare API tokens, AWS IAM permissions): see Cloudflare Workers Bouncer or AWS WAF Bouncer
- PHP cache backend unavailable (Redis or Memcached not running): see PHP Bouncer
- TLS/mTLS certificate issues (invalid or expired client certificates): see your RC's documentation for TLS configuration
- General RC troubleshooting: see Remediation Components Troubleshooting
Verify Resolutionโ
After fixing the issue:
- Check the RC is running and connected:
sudo cscli bouncers list
The bouncer's Last Pull timestamp should update within a few minutes.
-
Check in the Console โ Navigate to your Security Engine. The active RC alert should clear automatically once a heartbeat is received.
-
Verify enforcement is working:
# Add a short test ban
sudo cscli decisions add --ip 1.2.3.4 --duration 1m
# Confirm the bouncer picked it up
sudo cscli metrics show bouncers
# Clean up
sudo cscli decisions delete --ip 1.2.3.4
Related Issuesโ
- Security Engine No Remediation Component โ If no RC is registered at all
- Security Engine Offline โ If the Security Engine itself is not reporting
- Remediation Component Integration Offline โ For BLaaS-connected RC integrations
Getting Helpโ
If your Remediation Component is still inactive after following these steps:
- Check Discourse for your specific RC type
- Ask on Discord with your RC logs and
cscli bouncers listoutput - Consult your RC's documentation page