CrowdSec agent enters CPU runaway state after ~3 hours, becomes unresponsive to SIGTERM

[GibsonSWE]

What happened?

The CrowdSec agent (PID process) reproducibly enters a CPU runaway state approximately 2-4 hours after a clean start, consuming 300-400% CPU (of 4 vCPU host) with no corresponding increase in log volume or actual traffic. Once in this state, the process becomes unresponsive to SIGTERM and must be SIGKILL'd. journalctl output goes silent hours before the runaway becomes visible in CPU metrics, suggesting the process enters a degraded state well before the CPU spike is observable.

What did you expect to happen?

.

How can we reproduce it (as minimally and precisely as possible)?

• Clean restart: agent idles normally, CPU <5%
• After ~2-4 hours: CPU climbs in steps (50% → 80% → 100% of host capacity)
• Agent becomes unresponsive: systemctl stop crowdsec hangs indefinitely, requiring systemctl kill -s SIGKILL
• journalctl shows no output from the agent for hours prior to and during the runaway
• Cycle repeats after each forced restart

Anything else we need to know?

Acquisition metrics at time of incident (normal, not the cause)

• nginx/access.log: ~10k lines/session, fully parsed
• auth.log: ~500 lines, minimal parse rate (syslog label misconfiguration, separate issue)
• No unusual traffic volume (~750 nginx requests/3 hours)

Decision table state

• ~12,800 entries in nftables set at time of latest incident
• SQLite DB: ~31MB
• 10 local decisions, remainder from CAPI/lists

Things ruled out during investigation

• nftables set size (element count dropped from ~35k to ~12.8k with no improvement)
• Firewall bouncer reconciliation frequency (already set to 600s)
• nginx bouncer in live mode (switched to stream mode, no improvement)
• nginx bouncer UPDATE_FREQUENCY=10 (raised to 600s, no improvement)
• stray strace process attached to crowdsec PID (killed, no improvement)
• Memory pressure / swap thrashing (present but secondary)

Systemd resource consumption at time of SIGKILL (from journal)

• One run: 2 days, 4 hours, 51 minutes of accumulated CPU time before kill
• Previous run: 9 hours, 34 minutes
• Pattern of escalating CPU consumption per service lifetime

Workaround currently applied

[Service]
CPUQuota=150%
Restart=always
RestartSec=30
TimeoutStopSec=60

This caps the blast radius and auto-recovers the service after each runaway, but does not address the underlying issue.

Additional notes

• The agent produces no log output during the runaway state, making diagnosis difficult
• The issue predates the current investigation by at least several weeks based on systemd journal history
• Happy to provide full journalctl output, sqlite3 table row counts, or cscli metrics snapshots if helpful

Let me know if any additional information would help reproduce or diagnose this.

Crowdsec version

Details

$ cscli version
# paste output here

version: v1.7.8-debian-pragmatic-amd64-63227459
Codename: alphaga
BuildDate: 2026-05-11_12:36:14
GoVersion: 1.26.2
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.7.8-debian-pragmatic-amd64-63227459-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog, db_mysql, db_postgres, db_sqlite

OS version

Details

# On Linux:
$ cat /etc/os-release
# paste output here
PRETTY_NAME="Ubuntu 24.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.4 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
$ uname -a
# paste output here
Linux ext-proxy-01 6.8.12-20-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-20 (2026-03-13T08:15Z) x86_64 x86_64 x86_64 GNU/Linux
# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

Details

$ cscli hub list -o raw
# paste output here
Loaded: 164 parsers, 12 postoverflows, 783 scenarios, 9 contexts, 5 appsec-configs, 216 appsec-rules, 163 collections
name,status,version,description,type
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nginx-logs,enabled,2.0,Parse nginx access and error logs,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.1,Parse openSSH logs,parsers
crowdsecurity/sshd-success-logs,enabled,0.1,Parse successful ssh logins,parsers
crowdsecurity/syslog-logs,enabled,1.0,,parsers
crowdsecurity/whitelists,enabled,0.3,Whitelist events from private ipv4 addresses,parsers
crowdsecurity/cdn-whitelist,enabled,0.5,Whitelist CDN providers,postoverflows
crowdsecurity/google-special-crawlers-whitelist,enabled,0.1,"Whitelist events from Google special crawlers (e.g. Google-InspectionTool, GoogleOther)",postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.7,Detect cve-2021-44228 exploitation attempts,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.4,Confluence - RCE (CVE-2022-26134),scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.3,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.3,F5 BIG-IP TMUI - RCE (CVE-2020-5902),scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.4,Detect cve-2018-13379 exploitation attempts,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.3,Grafana - Arbitrary File Read (CVE-2021-43798),scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.5,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.6,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: basic HTTP trigger,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sap-interface-probing,enabled,0.1,Detect generic HTTP SAP interface probing,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-technology-probing,enabled,0.1,Detect HTTP technology/vendor probing,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.4,Detect exploitation attempts against common WordPress endpoints,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.4,Detect Atlassian Jira CVE-2021-26086 exploitation attempts,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.4,Detect cve-2019-11510 exploitation attempts,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/ssh-time-based-bf,enabled,0.2,Detect time-based ssh bruteforce attempts that evade rate limiting (with false positive reduction),scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.7,Detect ThinkPHP CVE-2018-20062 exploitation attempts,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.3,Detect VMSA-2021-0027 exploitation attempts,scenarios
ltsich/http-w00tw00t,enabled,0.3,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.3,,contexts
crowdsecurity/base-http-scenarios,enabled,1.4,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,3.0,Detect CVE exploitation in http logs,collections
crowdsecurity/linux,enabled,0.4,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nginx,enabled,0.3,nginx support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.9,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.4,Good actors whitelists,collections

Acquisition config

Details

# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
# paste output here
#Generated acquisition file - wizard.sh (service: nginx) / files : /var/log/nginx/access-stash.log /var/log/nginx/access-netbox.log /var/log/nginx/access.log /var/log/nginx/access-gateway.log /var/log/nginx/access-grafana.log /var/log/nginx/access-cml.log /var/log/nginx/access-proxmox.log /var/log/nginx/access-www.log /var/log/nginx/access-home.log /var/log/nginx/error.log /var/log/nginx/access-logging.log
filenames:
  - /var/log/nginx/access.log
  - /var/log/nginx/error.log
labels:
  type: nginx
---
#Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log
filenames:
  - /var/log/auth.log
labels:
  type: ssh
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog
#filenames:
#  - /var/log/syslog
#labels:
#  type: syslog
---
cat: '/etc/crowdsec/acquis.d/*': No such file or directory

# On Windows:
C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
# paste output here

Config show

Details

$ cscli config show
# paste output here
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Notification Folder    : /etc/crowdsec/notifications
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              :
API Client:
  - URL                     : http://10.0.10.3:8080/
  - Login                   : 754e9ce9fee548018d667d38f4fd12dd4bmu3byLlbxTt5Jt
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 10.0.10.3:8080
  - Listen Socket           :
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
      - 10.0.10.0/24
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 168h0m0s
      - Flush size          : 5000

Prometheus metrics

Details

$ cscli metrics
# paste output here
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                      │
├────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                         │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/auth.log         │ 17         │ -            │ 17             │ -                      │ -                 │
│ file:/var/log/nginx/access.log │ 49         │ 49           │ -              │ 34                     │ -                 │
│ file:/var/log/nginx/error.log  │ 2          │ 2            │ -              │ 1                      │ -                 │
╰────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭────────────────────────────────────────────────────╮
│ Local API Alerts                                   │
├────────────────────────────────────────────┬───────┤
│ Reason                                     │ Count │
├────────────────────────────────────────────┼───────┤
│ crowdsecurity/http-probing                 │ 42    │
│ crowdsecurity/http-technology-probing      │ 9     │
│ crowdsecurity/http-wordpress-scan          │ 19    │
│ crowdsecurity/http-admin-interface-probing │ 16    │
│ crowdsecurity/http-crawl-non_statics       │ 20    │
│ crowdsecurity/http-cve-2021-42013          │ 1     │
│ crowdsecurity/http-cve-probing             │ 4     │
│ crowdsecurity/http-open-proxy              │ 1     │
│ crowdsecurity/http-sensitive-files         │ 12    │
│ crowdsecurity/netgear_rce                  │ 1     │
│ crowdsecurity/http-backdoors-attempts      │ 1     │
│ crowdsecurity/http-bad-user-agent          │ 3     │
│ crowdsecurity/http-cve-2021-41773          │ 2     │
╰────────────────────────────────────────────┴───────╯
╭──────────────────────────────────────────────────────────────────────────────────────────╮
│ Bouncer Metrics (crowdsec-firewall-bouncer) since 2026-06-09 20:03:52 +0000 UTC          │
├───────────────────────────────┬──────────────────┬───────────────────┬───────────────────┤
│ Origin                        │ active_decisions │      dropped      │     processed     │
│                               │        IPs       │  bytes  │ packets │  bytes  │ packets │
├───────────────────────────────┼──────────────────┼─────────┼─────────┼─────────┼─────────┤
│ CAPI (community blocklist)    │           24.43k │  40.68k │     863 │       - │       - │
│ crowdsec (security engine)    │                6 │  76.53k │   1.45k │       - │       - │
│ lists:crowdsec_cve_2025_55182 │                0 │   5.15k │     104 │       - │       - │
│ lists:firehol_greensnow       │            1.64k │   8.94k │     167 │       - │       - │
│ lists:otx-webscanners         │            2.41k │     475 │       8 │       - │       - │
├───────────────────────────────┼──────────────────┼─────────┼─────────┼─────────┼─────────┤
│                         Total │           28.48k │ 131.78k │   2.59k │ 506.61M │   1.98M │
╰───────────────────────────────┴──────────────────┴─────────┴─────────┴─────────┴─────────╯
╭─────────────────────────────────────────────────────────────────────╮
│ Bouncer Metrics (crowdsec-nginx-bouncer) since 2026-06-10 05:02:15  │
│ +0000 UTC                                                           │
├────────────────────────────┬──────────────────┬─────────┬───────────┤
│ Origin                     │ active_decisions │ dropped │ processed │
│                            │        IPs       │ request │  request  │
├────────────────────────────┼──────────────────┼─────────┼───────────┤
│ CAPI (community blocklist) │           24.43k │       - │         - │
│ crowdsec (security engine) │                6 │     411 │         - │
│ lists:firehol_greensnow    │            4.53k │       1 │         - │
│ lists:otx-webscanners      │            2.40k │       - │         - │
├────────────────────────────┼──────────────────┼─────────┼───────────┤
│                      Total │           31.38k │     412 │    17.35k │
╰────────────────────────────┴──────────────────┴─────────┴───────────╯
╭──────────────────────────────────────────────────────────────────╮
│ Local API Decisions                                              │
├──────────────────────────────────────┬──────────┬────────┬───────┤
│ Reason                               │ Origin   │ Action │ Count │
├──────────────────────────────────────┼──────────┼────────┼───────┤
│ crowdsecurity/http-cve-probing       │ crowdsec │ ban    │ 1     │
│ crowdsecurity/http-open-proxy        │ crowdsec │ ban    │ 1     │
│ crowdsecurity/http-probing           │ crowdsec │ ban    │ 4     │
│ firehol_greensnow                    │ lists    │ ban    │ 5112  │
│ http:bruteforce                      │ CAPI     │ ban    │ 703   │
│ http:scan                            │ CAPI     │ ban    │ 23483 │
│ crowdsecurity/http-crawl-non_statics │ crowdsec │ ban    │ 3     │
│ crowdsecurity/http-sensitive-files   │ crowdsec │ ban    │ 1     │
│ crowdsecurity/http-wordpress-scan    │ crowdsec │ ban    │ 2     │
│ otx-webscanners                      │ lists    │ ban    │ 2590  │
│ http:crawl                           │ CAPI     │ ban    │ 52    │
│ http:exploit                         │ CAPI     │ ban    │ 372   │
╰──────────────────────────────────────┴──────────┴────────┴───────╯
╭──────────────────────────────────────╮
│ Local API Metrics                    │
├──────────────────────┬────────┬──────┤
│ Route                │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts           │ GET    │ 6    │
│ /v1/decisions/stream │ GET    │ 2    │
│ /v1/heartbeat        │ GET    │ 10   │
│ /v1/usage-metrics    │ POST   │ 2    │
│ /v1/watchers/login   │ POST   │ 3    │
╰──────────────────────┴────────┴──────╯
╭──────────────────────────────────────────────────────────────────╮
│ Local API Bouncers Metrics                                       │
├───────────────────────────┬──────────────────────┬────────┬──────┤
│ Bouncer                   │ Route                │ Method │ Hits │
├───────────────────────────┼──────────────────────┼────────┼──────┤
│ crowdsec-firewall-bouncer │ /v1/decisions/stream │ GET    │ 1    │
│ crowdsec-nginx-bouncer    │ /v1/decisions/stream │ GET    │ 1    │
╰───────────────────────────┴──────────────────────┴────────┴──────╯
╭──────────────────────────────────────────────────────────────────────────────────╮
│ Local API Machines Metrics                                                       │
├──────────────────────────────────────────────────┬───────────────┬────────┬──────┤
│ Machine                                          │ Route         │ Method │ Hits │
├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤
│ 754e9ce9fee548018d667d38f4fd12dd4bmu3byLlbxTt5Jt │ /v1/alerts    │ GET    │ 5    │
│ 754e9ce9fee548018d667d38f4fd12dd4bmu3byLlbxTt5Jt │ /v1/heartbeat │ GET    │ 10   │
╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯
╭───────────────────────────────────────────────────────────────╮
│ Parser Metrics                                                │
├────────────────────────────────────┬──────┬────────┬──────────┤
│ Parsers                            │ Hits │ Parsed │ Unparsed │
├────────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/http-logs      │ 153  │ 102    │ 51       │
│ child-crowdsecurity/nginx-logs     │ 53   │ 51     │ 2        │
│ crowdsecurity/dateparse-enrich     │ 51   │ 51     │ -        │
│ crowdsecurity/geoip-enrich         │ 51   │ 51     │ -        │
│ crowdsecurity/http-logs            │ 51   │ 51     │ -        │
│ crowdsecurity/nginx-logs           │ 51   │ 51     │ -        │
│ crowdsecurity/non-syslog           │ 68   │ 68     │ -        │
│ crowdsecurity/public-dns-allowlist │ 51   │ 51     │ -        │
│ crowdsecurity/whitelists           │ 51   │ 51     │ -        │
╰────────────────────────────────────┴──────┴────────┴──────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scenario Metrics                                                                                   │
├──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario                             │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-crawl-non_statics │ 1             │ -         │ 25           │ 25     │ 24      │
│ crowdsecurity/http-probing           │ -             │ -         │ 10           │ 10     │ 10      │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯
╭───────────────────────────────────────────────────────────────────────────────────────╮
│ Whitelist Metrics                                                                     │
├────────────────────────────────────┬─────────────────────────────┬──────┬─────────────┤
│ Whitelist                          │ Reason                      │ Hits │ Whitelisted │
├────────────────────────────────────┼─────────────────────────────┼──────┼─────────────┤
│ crowdsecurity/public-dns-allowlist │ public DNS server           │ 51   │ -           │
│ crowdsecurity/whitelists           │ private ipv4/ipv6 ip/ranges │ 51   │ -           │
╰────────────────────────────────────┴─────────────────────────────┴──────┴─────────────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

[github-actions]

@GibsonSWE: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[GibsonSWE]

Same as #4464 ? Moving back to v1.7.7 helped for me too.