Troubleshooting Remediation Components

Community support

Please try to resolve your issue by reading the documentation. If you're unable to find a solution, don't hesitate to seek assistance in:

• Discourse
• Discord

info

{component} is used as a placeholder for the name of the component you are using. For example crowdsec-firewall-bouncer for the firewall bouncer.

Health

How to check the status

Linux/Freebsd

SH

sudo systemctl status {component}

Windows

SH

Get-Service {component}

Configuration

Where is configuration stored?

Configuration files by default are located in:

• Linux /etc/crowdsec/bouncers/
• Freebsd /usr/local/etc/crowdsec/bouncers/
• Windows C:\ProgramData\CrowdSec\bouncers\

Logs

Where are the logs stored?

By default Remediation components will log to the following locations depending on platform:

• Linux /var/log/{component}.log
• Freebsd /var/log/{component}.log
  • Opnsense /var/log/crowdsec/{component}.log
  • Pfsense /var/log/crowdsec/{component}.log
• Windows C:\ProgramData\CrowdSec\log\{component}.log

Filtering logs to only show errors

Use OS-specific commands to filter logs and show only errors.

Linux/Freebsd

SH

sudo grep -E "level=(error|fatal)" /var/log/{component}.log

Windows

Powershell

SH

Select-String "level=(error|fatal)" C:\ProgramData\CrowdSec\log\{component}.log

CMD

SH

findstr "level=error level=fatal" C:\ProgramData\CrowdSec\log\{component}.log

Please make sure the log location matches your distribution.

My Remediation Component shows no errors in its log file but still fails to start/work

This usually means the bouncer cannot parse its configuration file. To identify the failing line, use systemd/journalctl:

SH

sudo systemctl status <bouncer-service-name> -l

SH

sudo journalctl -u <bouncer-service-name> -l

Common Issues

Cannot connect to the local API

• error message might look like:

TEXT

level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: connection refused"

• solution verify that the local API runs on the logged IP and port. If the logged IP/port is incorrect, edit the bouncer configuration file. If it is correct, verify that the local API is running.

Cannot authenticate to the local API

• error message might look like:

TEXT

time="19-04-2022 15:43:07" level=error msg="API error: access forbidden"

• solution regenerate the API key via cscli bouncers and replace the old one in the bouncer configuration file. Do not reuse the same key name.