Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fw bouncer metrics #621

Merged
merged 4 commits into from
Sep 24, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
29 changes: 29 additions & 0 deletions crowdsec-docs/unversioned/bouncers/firewall.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,35 @@ table ip6 crowdsec6 {
```


## Metrics

:::info
CrowdSec v1.6.3 and Firewall Remediation Component v0.0.30 are minimum versions required to have metrics.
:::

You can check the metrics generated by the firewall-bouncer using the command `cscli metrics show bouncers`.

![firewall-bouncer-metrics](/img/firewall-bouncer-metrics.png)

Each line in the output represents a different source of blocked IPs, along with detailed metrics.

- `Origin` refers to the name of the source, which could be:
- `CAPI` - The community blocklist that you receive in exchange for the information you provide to the network
- `crowdsec (security engine)` - The decisions made by your Security Engine based on triggered scenarios
- `lists:*` - Various lists to which you are subscribed
- `active_decisions IPs` represents the number of IPs contained in the respective list
- `dropped bytes & packets` indicates the number of bytes and packets dropped by the firewall due to the actions of the specified origin
- `processed bytes & packets` is only present for the `Total` line, as it denotes the overall number of bytes and packets processed by your firewall.


As the firewall bouncer operates at the network level, most malicious programs will not progress beyond attempting to establish a connection (and being denied). Therefore, metrics cannot reflect the "potentially saved traffic."

### Ipset only mode

If you are running ipset only mode, crowdsec-firewall-bouncer tries parsing the output to produce metrics, but:
- "managed" firewalls such ufw might confuse parser and lead to inconsistent metrics.
- "total" counters amount since the machine start, or iptables counter are reset, which can lead to inconsistent metrics.

## Configuration Reference

You can find a default configuration hosted on the [Github Repository](https://github.com/crowdsecurity/cs-firewall-bouncer/blob/main/config/crowdsec-firewall-bouncer.yaml) this is provided with the installation package.
Expand Down
Loading