Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fw bouncer metrics #621

Merged
merged 4 commits into from
Sep 24, 2024
Merged

fw bouncer metrics #621

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
84512c2
up
buixor Sep 18, 2024
a1eee07
up
buixor Sep 18, 2024
1ad65d7
enhance: spellcheck and add a info to specify a min ver
LaurenceJJones Sep 23, 2024
7a1b278
Merge branch 'main' into fw-metrics
LaurenceJJones Sep 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added crowdsec-docs/static/img/firewall-bouncer-metrics.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
29 changes: 29 additions & 0 deletions crowdsec-docs/unversioned/bouncers/firewall.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,35 @@ table ip6 crowdsec6 {
```


## Metrics

:::info
CrowdSec v1.6.3 and Firewall Remediation Component v0.0.30 are minimum versions required to have metrics.
:::

You can check the metrics generated by the firewall-bouncer using the command `cscli metrics show bouncers`.

![firewall-bouncer-metrics](/img/firewall-bouncer-metrics.png)

Each line in the output represents a different source of blocked IPs, along with detailed metrics.

- `Origin` refers to the name of the source, which could be:
- `CAPI` - The community blocklist that you receive in exchange for the information you provide to the network
- `crowdsec (security engine)` - The decisions made by your Security Engine based on triggered scenarios
- `lists:*` - Various lists to which you are subscribed
- `active_decisions IPs` represents the number of IPs contained in the respective list
- `dropped bytes & packets` indicates the number of bytes and packets dropped by the firewall due to the actions of the specified origin
- `processed bytes & packets` is only present for the `Total` line, as it denotes the overall number of bytes and packets processed by your firewall.


As the firewall bouncer operates at the network level, most malicious programs will not progress beyond attempting to establish a connection (and being denied). Therefore, metrics cannot reflect the "potentially saved traffic."

### Ipset only mode

If you are running ipset only mode, crowdsec-firewall-bouncer tries parsing the output to produce metrics, but:
- "managed" firewalls such ufw might confuse parser and lead to inconsistent metrics.
- "total" counters amount since the machine start, or iptables counter are reset, which can lead to inconsistent metrics.

## Configuration Reference

You can find a default configuration hosted on the [Github Repository](https://github.com/crowdsecurity/cs-firewall-bouncer/blob/main/config/crowdsec-firewall-bouncer.yaml) this is provided with the installation package.
Expand Down
Loading