We have sudo cscli alerts delete
and sudo cscli alerts flush
What the difference?
Documentation is plain rubbish.
cscli alerts delete
will soft delete the alert in the database. cscli alerts flush
will find the alerts with a soft delete agaisnt them and remove them. You shouldn’t need to manually flush as there is a setting with the config that will run this on a regular basis.
Does flush removes the decisions from the ban once the alerts are gone?
Yes if you remove the underlying alert there a cascade onto the related decisions
Here’s the output of the log:
time=“15-09-2023 21:24:55” level=info msg=“flushed 1/5002 alerts because max number of alerts has been reached (5000 max)”
This was done by crowdsec itself, does it mean that all those alerts has been flushed and all decisions have ben removed, which would lead to unban?
If yes, can we disable that feature (flushing alerts once reached 5k max) and keep the alerts?
Depends we only recommend to do very short ban duration or a scale over time. As most IP’s are transient you see them attacking then they will switch so there no need to ban them for several years just hours/days is enough.
You cant disable the flush as your database will rise to tens of gigabytes, you can however, set the flush level higher CrowdSec Configuration | CrowdSec
Would flushing the alerts release all the existing banned IPs? Specifically, if we had 5,000 alerts removed once reached the threshold limit and 5,000 IPs were banned, would all of them be unbanned? We don’t setting long-term bans; instead, we’re doubling the duration of each ban whenever an overflow occurs.
Is there any hard limit for alerts number that crowdsec can support?