Multi-Server setup - _all_ machines shown with old heartbeat every 30 Minutes

J-a-x-u · October 11, 2024, 7:59am

I have a multi-server setup 18 machines. LAPI-server with mariadb.
Since the latest update to v1.6.3-rpm-pragmatic-amd64-4851945a (all machines are on the same version, also may have happened in the previous version, but I just noticed it now), I often see some of them in ‘cscli machines list’ with a heartbeat of serveral hours behind. This clears within some minutes, but keeps happening again and again.
Until now I could not find any pattern for this behaviour. It look like all machines are affected.

Just now:
2024-10-11T07:52:00Z v1.6.3-rpm-pragmatic-amd64-4851945a Red Hat Enterprise Linux/8.10 password 6h30m17s

and about a minute later:
2024-10-11T07:53:59Z v1.6.3-rpm-pragmatic-amd64-4851945a Red Hat Enterprise Linux/8.10 password 15s

Also the version-string changes often from ‘v1.6.3-rpm-pragmatic-amd64-4851945a’ to ‘v1.6.3-rpm-pragmatic-amd64-4851945a-linux’ and back.

iiAmLoz · October 11, 2024, 12:54pm

Do you have some machines that are using the same username and password that is generated by cscli machines add or cscli lapi register command?

J-a-x-u · October 11, 2024, 1:13pm

Now that you are asking… I have indeed identified one clone of VM where still a crowdsec-firewall-bouncer.service was active/running and is now deactivated. For the rest I am not aware that I have any other clones running, but I will check.
But the old heartbeats still show up on machines where I am sure I never had any clones running.

J-a-x-u · October 14, 2024, 7:20am

More data: I started checking cscli machines list every 30 seconds and the heartbeat of all the machines is shown as old every 30 minutes.
Next I will have a look at the incoming packets from one of the machines.

J-a-x-u · October 15, 2024, 5:58am

The heartbeat communication from the machines looks identical at all times.

Capablo · January 28, 2025, 12:26pm

Hi @J-a-x-u,

I have the same problem with the same version as you,
Have you managed to find out what happened?

iiAmLoz · January 28, 2025, 1:13pm

Hey all we found a bug/unforeseen issue in previous version that is now fixed but will be introduced in 1.6.5

github.com/crowdsecurity/crowdsec

Removed updating of machine last_heartbeat based on baseMetrics in MachineUpdateBaseMetrics

crowdsecurity:master ← srkoster:master

opened 05:01PM - 23 Jan 25 UTC

srkoster

+0 -9

This fix removes the update of machine last_heartbeat in `MachineUpdateBaseMetri…cs` for 3 reasons - The implemented logic doesn't make sense. It updates the fields with the first timestamp of found for that machine in the baseMetrics. When using flush.agents_autodelete, agents can be deleted wrongly because of this logic. (See #3424 - It shouldn't update the last_heartbeat column at all. Machines will call back to the LAPI and `UpdateMachineLastHeartBeat` is being called to update it. - `BouncerUpdateBaseMetrics` in the bouncer package doesn't update the similar column last pull neither.

the bug/unforeseen was introduced 6 months ago via: LAPI: detailed metrics endpoint (#2858) · srkoster/crowdsec@64e4ecd · GitHub

Topic		Replies	Views
CSCLI Machines list No Heartbeat after lxc container Restart	6	151	September 3, 2024
Cscli metrics & alerts	5	539	October 11, 2023
Alerts and détection issue	3	1034	December 22, 2021
CS apparently not doing anything crowdsec	1	491	May 4, 2022
Cloned VM - How to correctly re-register as new from console?	2	600	July 11, 2023

Multi-Server setup - _all_ machines shown with old heartbeat every 30 Minutes

Related topics