Events vs Decisions. Where do decisions come from?

I have thousands of decisions but no events prior / post loading my replay logs.

Looking at the active decisions data when I drill in I see the scenario origin and that they are from the Community API (CAPI), but are Decisions active detections or are those events?

My events are empty after loading my logs from a recent brute force attack, but lots of decisions.

If Decisions are identified user agent behavior, is there a way to see from what log file they originate?

There doesn’t seem to be any scenarios from Apache2.
I probably need to add my apache log files somewhere but how would I see where these “decisions” came from to know if its reading my mod_sec rewrite logs.

Hi. You seem to ask a lot of questions in the same question. Really confusing. But I will try to split it up and if I fail to answer some of it, please let me know.

Decisions from CAPI: You won’t have logs concerning these. Just decisions to block. All decisions that are taken locally are logged in crowdsec.log. I wouldn’t say that decisions are active detections as such. It’s more the decision to block an ip. And that can be a local decision or a decision received from CAPI.

Log files: As I mentioned before, all decisions taken locally are logged in crowdsec.log. In there you can’t (at least not by default) see which log source a given decision comes from. However, you might be able to dig some more info out using debug and trace options of the cscli decisions command. Documentation is here. I haven’t tried it myself so I am not 100% sure.

Apache2: Not there aren’t any scenarios for Apache. Mostly because scenarios are on a higher level of abstraction. They are not specific for a service but describes a situation on a webserver; this means that scenarios are common for e.g. nginx and apache. An example is the Apache2 collection which contains a specific log parser for apache and a generic scenario base-http-scenarios which describes generic stuff like bot crawling etc.

ModSecurity logs: You can see in crowdsec.log which log files has been detected and used by CrowdSec.

I think I managed to get an overview of all your questions and answered them all. If not - or if you have more questions - please ask again.

Thank you for your comprehensive response! Very helfpul.

I think my confusion is when loading old Apache /Modsecurity logs doing a Replay against logs from a known hack event. I was hoping to see evidence that Crowdsec was going to block a number of IPs from the access_log or point out Modsec flagged rules but nothing new was presented in the Dashboard.

Am I correct that decision are a list of what to block and no bouncer actions are taken until an alert is triggered ?

This documentation has me a bit confused.

Decision : “an action being taken against an IP”

You’re welcome :slight_smile:

Yes, you’re correct about decisions and alerts.

All our docs are in github so it would be a great help if you either create an issue or did a PR :slight_smile:

Thanks for using CrowdSec!