fw bouncer metrics (#621)

* up * up * enhance: spellcheck and add a info to specify a min ver --------- Co-authored-by: Laurence <[email protected]>
crowdsecurity · Sep 24, 2024 · 30b5144 · 30b5144
1 parent 1dc7633
commit 30b5144
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/crowdsec-docs/static/img/firewall-bouncer-metrics.png b/crowdsec-docs/static/img/firewall-bouncer-metrics.png
diff --git a/crowdsec-docs/unversioned/bouncers/firewall.mdx b/crowdsec-docs/unversioned/bouncers/firewall.mdx
@@ -166,6 +166,35 @@ table ip6 crowdsec6 {
 ```
 
 
+## Metrics
+
+:::info
+CrowdSec v1.6.3 and Firewall Remediation Component v0.0.30 are minimum versions required to have metrics.
+:::
+
+You can check the metrics generated by the firewall-bouncer using the command `cscli metrics show bouncers`.
+
+![firewall-bouncer-metrics](/img/firewall-bouncer-metrics.png)
+
+Each line in the output represents a different source of blocked IPs, along with detailed metrics.
+
+- `Origin` refers to the name of the source, which could be:
+  - `CAPI` - The community blocklist that you receive in exchange for the information you provide to the network
+  - `crowdsec (security engine)` - The decisions made by your Security Engine based on triggered scenarios
+  - `lists:*` - Various lists to which you are subscribed
+- `active_decisions IPs` represents the number of IPs contained in the respective list
+- `dropped bytes & packets` indicates the number of bytes and packets dropped by the firewall due to the actions of the specified origin
+- `processed bytes & packets` is only present for the `Total` line, as it denotes the overall number of bytes and packets processed by your firewall.
+
+
+As the firewall bouncer operates at the network level, most malicious programs will not progress beyond attempting to establish a connection (and being denied). Therefore, metrics cannot reflect the "potentially saved traffic."
+
+### Ipset only mode
+
+If you are running ipset only mode, crowdsec-firewall-bouncer tries parsing the output to produce metrics, but:
+ - "managed" firewalls such ufw might confuse parser and lead to inconsistent metrics.
+ - "total" counters amount since the machine start, or iptables counter are reset, which can lead to inconsistent metrics.
+
 ## Configuration Reference
 
 You can find a default configuration hosted on the [Github Repository](https://github.com/crowdsecurity/cs-firewall-bouncer/blob/main/config/crowdsec-firewall-bouncer.yaml) this is provided with the installation package.