Security Engine Offline
The Security Engine Offline issue indicates that an enrolled Security Engine has not reported to CrowdSec Central API for more than 48 hours.
This usually means the core crowdsec service has stopped working or communicating with our infrastructure.
What Triggers This Issueโ
- Trigger condition: No contact with Console for 48 hours
- Criticality: ๐ฅ Critical
- Impact: Complete loss of visibility and protection coordination
Common Root Causesโ
- Host or service down: The CrowdSec service has stopped or the host itself is unreachable.
- Console connectivity issues: Network, firewall, or proxy blocking HTTPS calls to Console endpoints, or TLS validation failures.
Diagnosis & Resolutionโ
Host or service downโ
๐ Check if CrowdSec service is runningโ
Check that the crowdsec service is running:
sudo systemctl status crowdsec
sudo journalctl -u crowdsec -n 50
Run this command for Docker or Kubernetes
docker ps --filter name=crowdsec
kubectl get pods -n crowdsec
If the host itself is unreachable (hypervisor, VM, or cloud instance down), the Console cannot receive a heartbeat and marks the engine offline.
๐ ๏ธ Restart the Security Engine serviceโ
Restart the Security Engine service:
sudo systemctl restart crowdsec
For Docker or Kubernetes
Docker:
docker restart crowdsec
Kubernetes:
kubectl rollout restart deployment/crowdsec -n crowdsec
After restarting, re-run sudo cscli console status to ensure the heartbeat is restored.
Console connectivity issuesโ
๐ Check console status and logs for connectivity errorsโ
sudo cscli console status may show errors such as permission denied, unable to reach console, or TLS failures. Inspect /var/log/crowdsec/crowdsec.log (or container stdout) for details.
Confirm that your Security Engine can communicate with CrowdSec Central API (CAPI):
sudo cscli capi status
Also check that the Security Engine Local API is running and healthy:
sudo cscli machines list
In a standalone install, you should see one machine. Check the Last Update time.
Ensure outbound access to the CrowdSec Console endpoints listed in Network management. Firewalls or proxy changes often block the HTTPS calls required for heartbeats.
Verify system time is synced (via NTP). Large clock drifts can invalidate console tokens.
๐ ๏ธ Restore connectivity to the Consoleโ
Restore connectivity to the Console:
-
Check that you can access crowdsec services and APIs listed in network management
-
If a proxy is required, configure it in
/etc/crowdsec/config.yamlundercommon.http_proxiesand reload the service. -
Renew TLS trust stores if the host cannot validate the Console certificate chain.
Test connectivity:
curl -I https://api.crowdsec.net/
For CAPI connectivity issues you can follow the posts-install health check step for connectivity.
In the rare case you saw zero machines in your machines list, try:
sudo cscli machine add --auto --force
Verify Resolutionโ
After making changes:
Restart or reload CrowdSec: sudo systemctl restart crowdsec
-
Check engine status:
SHsudo cscli console status -
Verify in the Console the security engine "last activity" date
Once the engine resumes contact, the Console clears the Security Engine Offline alert during the next poll.
๐ก Consider enabling the Security Engine Offline notification in your preferred integration so future outages are caught quickly.
Related Issuesโ
- Log Processor Offline - If specific agents are offline
- Security Engine Troubleshooting - General Security Engine issues
Getting Helpโ
If you still cannot restore Security Engine heartbeat to CrowdSec Console: