0ct0pu5/crowdsec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
crowdsec/docs/observability/metrics.md
erenJag 4f9d252a15
Add the documentation into crowdsec repo (#3) 
Add the documentation into crowdsec repo
2020-05-15 16:58:24 +02:00

118 lines
6.1 KiB
Markdown
Raw Blame History

## metrics via {{cli.name}}
```bash
{{cli.name}} metrics
```
This command provides an overview of {{crowdsec.name}} statistics. By default it assumes that the {{crowdsec.name}} is installed on the same machine.
The metrics are split in 3 main sections :
- Acquisition metrics : How many lines were read from which sources, how many were successfully or unsuccessfully parsed, and how many of those lines ultimately ended up being poured to a bucket.
- Parser metrics : How many lines were fed (eligible) to each parser, and how many of those were successfully or unsuccessfully parsed.
- Bucket metrics : How many time each scenario lead to a bucket instantiation, and for each of those :
- how many times it overflowed
- how many times it expired (underflows)
- how many subsequent events were poured to said bucket
!!! hint
These metrics should help you identify potential configuration errors.
For example, if you have a source that has mostly unparsed logs, you know you might be missing some parsers.
As well, if you have scenarios that are never instantiated, it might be a hint that they are not relevant to your configuration.
<details>
<summary>{{cli.name}} metrics example</summary>
```bash
INFO[0000] Buckets Metrics:
+-----------------------------------------+-----------+--------------+--------+---------+
| BUCKET | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
+-----------------------------------------+-----------+--------------+--------+---------+
| crowdsecurity/http-scan-uniques_404 | - | 8 | 9 | 8 |
| crowdsecurity/iptables-scan-multi_ports | 1 | 8306 | 9097 | 8288 |
| crowdsecurity/ssh-bf | 42 | 281 | 1434 | 238 |
| crowdsecurity/ssh-bf_user-enum | 13 | 659 | 777 | 646 |
| crowdsecurity/http-crawl-non_statics | - | 10 | 12 | 10 |
+-----------------------------------------+-----------+--------------+--------+---------+
INFO[0000] Acquisition Metrics:
+------------------------------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+------------------------------------------+------------+--------------+----------------+------------------------+
| /var/log/nginx/https.access.log | 25 | 25 | - | 7 |
| /var/log/kern.log | 18078 | 18078 | - | 4066 |
| /var/log/syslog | 18499 | 18078 | 421 | 5031 |
| /var/log/auth.log | 6086 | 1434 | 4652 | 2211 |
| /var/log/nginx/error.log | 170243 | 169632 | 611 | - |
| /var/log/nginx/http.access.log | 44 | 44 | - | 14 |
+------------------------------------------+------------+--------------+----------------+------------------------+
INFO[0000] Parser Metrics:
+--------------------------------+--------+--------+----------+
| PARSERS | HITS | PARSED | UNPARSED |
+--------------------------------+--------+--------+----------+
| crowdsecurity/geoip-enrich | 37659 | 37659 | 0 |
| crowdsecurity/http-logs | 169701 | 27 | 169674 |
| crowdsecurity/iptables-logs | 36156 | 36156 | 0 |
| crowdsecurity/nginx-logs | 170316 | 169701 | 615 |
| crowdsecurity/non-syslog | 170312 | 170312 | 0 |
| crowdsecurity/sshd-logs | 6053 | 1434 | 4619 |
| crowdsecurity/syslog-logs | 42663 | 42663 | 0 |
| crowdsecurity/dateparse-enrich | 207291 | 207291 | 0 |
+--------------------------------+--------+--------+----------+
```
</details>
## metrics via {{crowdsec.name}} prometheus
{{crowdsec.name}} can expose a prometheus endpoint for collection (on `http://127.0.0.1:6060/metrics` by default).
The goal of this endpoint, besides the usual resources consumption monitoring, aims at offering a view of {{crowdsec.name}} "applicative" behavior :
- is it processing a lot of logs ? is it parsing them successfully ?
- are a lot of scenarios being triggered ?
- are a lot of IPs banned ?
- etc.
All the counters are "since {{crowdsec.name}} start".
### Scenarios
- `cs_bucket_create` : number of instantiation of each scenario
- `cs_bucket_overflow` : number of overflow of each scenario
- `cs_bucket_underflow` : number of underflow of each scenario (bucket was created but expired because of lack of events)
- `cs_bucket_pour` : number of event poured to each scenario with source as complementary key :
```
#2030 lines from `/var/log/nginx/access.log` were poured to `crowdsecurity/http-scan-uniques_404` scenario
cs_bucket_pour{name="crowdsecurity/http-scan-uniques_404",source="/var/log/nginx/access.log"} 2030
```
### Parsers
- `cs_node_hits` : how many time an event from a specific source was processed by a parser node :
```
# 235 lines from `auth.log` were processed by the `crowdsecurity/dateparse-enrich` parser
cs_node_hits{name="crowdsecurity/dateparse-enrich",source="/var/log/auth.log"} 235
```
- `cs_node_hits_ko` : how many times an event from a specific was unsuccessfully parsed by a specific parser
```
# 2112 lines from `error.log` failed to be parsed by `crowdsecurity/http-logs`
cs_node_hits_ko{name="crowdsecurity/http-logs",source="/var/log/nginx/error.log"} 2112
```
- `cs_node_hits_ok` : how many times an event from a specific source was successfully parsed by a specific parser
- `cs_parser_hits` : how many times an event from a source has hit the parser
- `cs_parser_hits_ok` : how many times an event from a source was successfully parsed
- `cs_parser_hits_ko` : how many times an event from a source was unsuccessfully parsed
### Acquisition
- `cs_reader_hits` : how many events were read from a specific source
Reference in a new issue View git blame Copy permalink