Crowdsec on OPNsense and weird behaviour with notification-http process

crowdsec
1

I don’t know if this is a result of my misconfiguration or something else, but I found a behaviour that is really weird.

I have a multi-server setup. My router (OPNsense box) is running as LAPI and other servers are running as agents. Connections are over HTTPS (self-signed certs). Everything is working perfectly fine, no issues.

However, when I enable the notifications to my Discord server on OPNsense, things get weird.

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
42842 root         18  20    0  1630M   282M kqread   4   2:50   0.42% crowdsec
14354 root          9  20    0  1568M  1046M nanslp   5   1:26   0.75% suricata
76335 root         16  20    0  1377M   100M uwait    4   0:07   0.44% crowdsec
64506 root         11  20    0  1211M    62M uwait    4   0:01   0.00% crowdsec-firewall-b
59065 nobody       11  21    0  1209M    19M uwait    0   0:00   0.00% notification-http
55402 nobody       11  21    0  1209M    18M uwait    4   0:00   0.00% notification-http
63379 nobody       11  21    0  1209M    18M uwait    1   0:00   0.00% notification-http
77672 nobody       11  24    0  1209M    18M uwait    0   0:00   0.00% notification-http
61765 nobody       11  21    0  1209M    18M uwait    0   0:00   0.00% notification-http
65210 nobody       11  23    0  1209M    18M uwait    5   0:00   0.00% notification-http
65990 nobody       11  21    0  1209M    19M uwait    0   0:00   0.00% notification-http
66380 nobody       12  24    0  1209M    19M uwait    0   0:00   0.00% notification-http
75519 nobody       11  26    0  1209M    19M uwait    5   0:00   0.00% notification-http
71378 nobody       12  21    0  1209M    19M uwait    0   0:00   0.00% notification-http
57563 nobody       11  21    0  1209M    18M uwait    5   0:00   0.00% notification-http
61067 nobody       12  21    0  1209M    18M uwait    3   0:00   0.00% notification-http
60579 nobody       12  21    0  1209M    18M uwait    2   0:00   0.00% notification-http
78313 nobody       12  24    0  1209M    18M uwait    3   0:00   0.00% notification-http
70619 nobody       11  21    0  1209M    18M uwait    4   0:00   0.00% notification-http
62619 nobody       11  21    0  1209M    18M uwait    5   0:00   0.00% notification-http
30901 nobody       12  23    0  1209M    18M uwait    3   0:00   0.00% notification-http
65066 nobody       11  20    0  1209M    18M uwait    4   0:00   0.00% notification-http
64196 nobody       11  23    0  1209M    18M uwait    1   0:00   0.00% notification-http
76615 nobody       12  26    0  1209M    18M uwait    2   0:00   0.00% notification-http
53645 nobody       12  21    0  1209M    18M uwait    2   0:00   0.00% notification-http
55127 nobody       12  21    0  1209M    18M uwait    4   0:00   0.00% notification-http
66034 nobody       11  21    0  1209M    18M uwait    5   0:00   0.00% notification-http
57947 nobody       11  21    0  1209M    18M uwait    1   0:00   0.00% notification-http
40760 nobody       11  20    0  1209M    18M uwait    0   0:00   0.00% notification-http
53835 nobody       11  21    0  1209M    18M uwait    0   0:00   0.00% notification-http
71633 nobody       11  21    0  1209M    18M uwait    0   0:00   0.00% notification-http
54576 nobody       11  21    0  1209M    18M uwait    4   0:00   0.00% notification-http
38065 nobody       12  23    0  1209M    18M uwait    4   0:00   0.00% notification-http
63007 nobody       11  21    0  1209M    18M uwait    5   0:00   0.00% notification-http
42854 nobody       12  20    0  1209M    18M uwait    3   0:00   0.00% notification-http
61630 nobody       11  28    0  1209M    18M uwait    3   0:00   0.00% notification-http
72571 nobody       12  21    0  1209M    18M uwait    4   0:00   0.15% notification-http

For some reason the notification-http process keeps replicating. This doesn’t stop in any point and after a few hours router runs out of memory. Notifications work normally the whole time.

I have configured the LAPI to run on port 8081 because I couldn’t get HTTPS to work with the default LAPI port (kept getting errors that 8080 only responded HTTP instead of the asked HTTPS). Could this change cause this issue?

2

Hi,

could you test this

# fetch -o /usr/local/etc/rc.d/crowdsec https://github.com/crowdsecurity/plugins/releases/download/crowdsec-1.6.3-2-hotfix/crowdsec

It should take care of notification plugins and any other process management issue.

Thanks

3

Hello, please see:

4

This seems to have fixed this issue and some other weird behaviour that was probably related.

The notification issue was caused by one agent that had it’s notifications still enabled. This caused those orphaned notification processes, but I am glad to hear this was also hotfixed.

I also had some weird issues when changing settings and restarting Crowdsec the logs would say that the port (8081) was taken by some other process. This was probably caused by the fact that Crowdsec failed to properly close before restarting. This seems to be fixed aswell, as you said.