Unable to get crowdsec to start

Hi

I am trying to add crowdsec to a dashboard server, but when I try to load crowdsec on the client server, it says:

time=“22-04-2023 07:25:08” level=info msg=“Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=apache2.service]” src=“journalctl-_SYSTEMD_UNIT=apache2.service” type=journalctl
time=“22-04-2023 07:25:08” level=info msg=“Running journalctl command: /usr/bin/journalctl [journalctl --follow -n 0 _SYSTEMD_UNIT=mysql.service]” src=“journalctl-_SYSTEMD_UNIT=mysql.service” type=journalctl
time=“22-04-2023 07:25:08” level=fatal msg=“starting outputs error : authenticate watcher (): Post "http://myip:3000/v1/watchers/login\”: unable to decode response: EOF"

Hi @aeternum,

Can you paste your /etc/crowdsec/config.yaml so we can know more about your config.
Because the error seems to indicate that the payload isn’t json or plaintext.

Sorry, I deleted my last message because I realised i got it from the server, not the client where the crowdsec process won’t start. Anyway, I’ve posted the correct one below.

common:
  daemonize: true
  pid_dir: /var/run/
  log_media: file
  log_level: info
  log_dir: /var/log/
  log_max_size: 20
  compress_logs: true
  log_max_files: 10
  working_dir: .
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /var/lib/crowdsec/data/
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
  notification_dir: /etc/crowdsec/notifications/
  plugin_dir: /usr/lib/crowdsec/plugins/
crowdsec_service:
  acquisition_path: /etc/crowdsec/acquis.yaml
  acquisition_dir: /etc/crowdsec/acquis.d
  parser_routines: 1
cscli:
  output: human
  color: auto
db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  #max_open_conns: 100
  #user: 
  #password:
  #db_name:
  #host:
  #port:
  flush:
    max_items: 5000
    max_age: 7d
plugin_config:
  user: nobody # plugin process would be ran on behalf of this user
  group: nogroup # plugin process would be ran on behalf of this group
api:
  client:
    insecure_skip_verify: false
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    console_path: /etc/crowdsec/console.yaml
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
#    tls:
#      cert_file: /etc/crowdsec/ssl/cert.pem
#      key_file: /etc/crowdsec/ssl/key.pem
prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060

ok, I’ve made a breakthrough. I can get the service to start when i change /etc/crowdsec/local_api_credentials.yaml to the following:

url: http://10.0.0.1:3000/
login:
password:

but i can’t enrol it, as when i do the command, it changes the /etc/crowdsec/local_api_credentials.yaml to the following:

url: http://<redacted>:3000/
login: <redacted>
password: <redacted>

it seems like when I put the IP address in there, it stops it from starting. I removed the username and password from the file, and it still won’t start. But I change it back to 10.0.0.1:3000 and it starts fine. But again, I can’t enroll it in the dashboard because it changes the url line in that file.

Hi, yes as explained in your Discord thread (I think you’re the same user that asked the same question in Discord), It’s impossible to connect to the dashboard by modifying this file. This file is only for the agent to connect to the local API. Depend, on which dashboard you want to set up.

The online dashboard app.crowdsec.net ? or the local one using Metabase?

The online dashboard can be setup by creating an account at app.crowdsec.net and then enrolling your crowdsec instance. cscli enroll <YOUR_ENROLL_KEY> , the enroll key can be fetched from the console.

The local dashboard (metabase), can be setup using cscli:
cscli dashboard setup --listen <ADDR> -p <PORT> --password <password>

Hi

I’m trying to set up the local metabase dashboard.

cscli dashboard setup --listen <ADDR> -p <PORT> --password <password>

Is that command ran on the client or the server running the dashboard?

Thanks.

The local dashboard is running on the server:

Before, I advised you to fix your /etc/crowdsec/local_api_credentials.yaml file because you modified it with the wrong config.

Thanks for the help, but I’m just gonna use app.crowdsec.net instead.

Any chance someone has any EnSite that might help to resolve this issue?

After running "docker exec -it crowdsec cscli hub update i now can not restart container. it wont run logs show
time=“2025-05-15T15:27:20-04:00” level=fatal msg=“api server init: unable to run plugin broker: while loading plugin: binary for plugin http_gotify not found”
I have tried many things. When I comment out the plugin files in profiles.yaml it lets me boot the conatienr. And then I ran “cscli hub update --with-content” and after that I ran “cscli hub upgade”.
Then a typed reboot into the conatiner shell and it rebooted fine. then i exited the container. Then I uncommented the http-default(- http-gotify) and email-default notifications in profile.yaml again
before issuing a “docker compose down && docker compose up -d --force-recreate --remove-orphans” command, but the container still wont load and says the same error about missing plugin binaries.
While it was still running and I was still inside the conatienrs shell I looked in the plugins dir with ls /usr/local/lib/crowdsec/plugins/ but nothing was present. How can I enable this functionality
again with out bricking crowdsec??? PLEASE HELP…

for context this it the content of both files. “profiles.yaml”

debug: false
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
 - http_gotify   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
 - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break ```

And here is the “http.yaml” file

name: http_gotify         # http_default # http_default # Must match the registered plugin in the profile

# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info

# group_wait:         # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold:    # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry:          # Number of attempts to relay messages to plugins in case of error
# timeout:            # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"

#-------------------------
# plugin-specific options

# The following template receives a list of models.Alert objects
# The output goes in the http request body
format: |
 {{ range . -}}
 {{ $alert := . -}}
 {
   "extras": {
     "client::display": {
     "contentType": "text/markdown"
   }
 },
 "priority": 3,
 {{range .Decisions -}}
 "title": "{{.Type }} {{ .Value }} for {{.Duration}}",
 "message": "{{.Scenario}}  \n\n[crowdsec cti](https://app.crowdsec.net/cti/{{.Value -}})  \n\n[shodan](https://shodan.io/host/{{.Value -}})"
 {{end -}}
 }
 {{ end -}}

# The plugin will make requests to this url, eg:  https://www.example.com/
url: https://gotify.<<REDACTED>>.com/message

# Any of the http verbs: "POST", "GET", "PUT"...
method: POST

headers:
 X-Gotify-Key: <<REDACTED>>
 Content-Type: application/json
# skip_tls_verification:  # true or false. Default is false ```

I responded to you on discord, but this yaml is different you posted there.

It seems you are missing type: http at the top of the http.yaml?