Cscli metrics & alerts

Hi all,
I notice some host don’t print the alerts bloc in the result of the “cscli metrics” command. Whereas this host had already report some decisions. Maybe it print alerts after a certain delay ?
is there other reasons ?
Thanks,
Stephane.

Could you elaborate what you mean?

The only thing I can think is a multi server setup?

If so this is normal the metrics on the main host will show alerts, and since the alerts are only made on the main host thats why they are there. The metrics are not aggregated across endpoints, this is the idea of having the console.

Of course.
Yes, it is a multiserver setup. All servers work always with the only LAPI server we have.

When i run :
#cscli metrics
On differents nodes which are not the LAPI server, i can observ a bloc :

Local API Alerts:

╭──────────────────────────────────────┬───────╮
│                Reason                │ Count │
├──────────────────────────────────────┼───────┤
│ crowdsecurity/CVE-2019-18935         │ 1     │
│ crowdsecurity/CVE-2022-41082         │ 6     │
│ crowdsecurity/http-bad-user-agent    │ 39    │
│ crowdsecurity/http-crawl-non_statics │ 1     │
│ crowdsecurity/http-probing           │ 12    │
│ crowdsecurity/http-sensitive-files   │ 3     │
╰──────────────────────────────────────┴───────╯

This bloc is differents for each server, example for another server :

Local API Alerts:
╭───────────────────────────────────────┬───────╮
│                Reason                 │ Count │
├───────────────────────────────────────┼───────┤
│ crowdsecurity/jira_cve-2021-26086     │ 8     │
│ crowdsecurity/CVE-2019-18935          │ 1     │
│ crowdsecurity/CVE-2022-41082          │ 4     │
│ crowdsecurity/http-bad-user-agent     │ 749   │
│ crowdsecurity/http-crawl-non_statics  │ 2     │
│ crowdsecurity/http-probing            │ 11    │
│ crowdsecurity/http-sensitive-files    │ 3     │
│ crowdsecurity/CVE-2022-26134          │ 32    │
│ crowdsecurity/fortinet-cve-2022-40684 │ 3     │
╰───────────────────────────────────────┴───────╯

But you said : “and since the alerts are only made on the main host thats why they are there”
Which is not the case for me.

→ Maybe it is a result of the fact that all this servers (with a “Local API Alerts” bloc) Do not rely on the main host before (standalone server) ? This metrics do not evolve over time.
If it’s the case, how can i get rid of this old datas ?

Thank you.
Stephane.

When running in multi server setup we recommend to disable the LAPI that on the remote agents

Set this to false

Sorry, i don’t understant which value (of config.yaml) i have to set to false ?