Hi everybody, I have installed some servers on a Proxmox VE 8.2 system. All the servers are in LXC's with Ubuntu 24.04 and full LAMP installed. I installed crowdsec on each of the containers and it all seems to work, here the cscli output for one of the servers (a jellyfin streaming server): ╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Acquisition Metrics │ ├────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │ ├────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤ │ file:/var/log/auth.log │ 6 │ - │ 6 │ - │ - │ │ file:/var/log/syslog │ 6 │ - │ 6 │ - │ - │ ╰────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯ ╭────────────────────────────────────────────────────────────────────────────────────╮ │ Bouncer Metrics (cs-firewall-bouncer-1753174229) since 2025-07-22 09:05:30 +0000 U │ │ TC │ ├────────────────────────────┬──────────────────┬─────────────────┬──────────────────┤ │ Origin │ active_decisions │ dropped │ processed │ │ │ IPs │ bytes │ packets │ bytes │ packets │ ├────────────────────────────┼──────────────────┼───────┼─────────┼────────┼─────────┤ │ CAPI (community blocklist) │ 15.00k │ 0 │ 0 │ - │ - │ ├────────────────────────────┼──────────────────┼───────┼─────────┼────────┼─────────┤ │ Total │ 15.00k │ 0 │ 0 │ 15.14M │ 42.14k │ ╰────────────────────────────┴──────────────────┴───────┴─────────┴────────┴─────────╯ ╭──────────────────────────────────────────╮ │ Local API Decisions │ ├────────────────┬────────┬────────┬───────┤ │ Reason │ Origin │ Action │ Count │ ├────────────────┼────────┼────────┼───────┤ │ ssh:bruteforce │ CAPI │ ban │ 14093 │ │ generic:scan │ CAPI │ ban │ 906 │ ╰────────────────┴────────┴────────┴───────╯ ╭──────────────────────────────────────╮ │ Local API Metrics │ ├──────────────────────┬────────┬──────┤ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/alerts │ GET │ 1 │ │ /v1/decisions/stream │ GET │ 99 │ │ /v1/heartbeat │ GET │ 16 │ │ /v1/usage-metrics │ POST │ 2 │ │ /v1/watchers/login │ POST │ 2 │ ╰──────────────────────┴────────┴──────╯ ╭───────────────────────────────────────────────────────────────────────╮ │ Local API Bouncers Metrics │ ├────────────────────────────────┬──────────────────────┬────────┬──────┤ │ Bouncer │ Route │ Method │ Hits │ ├────────────────────────────────┼──────────────────────┼────────┼──────┤ │ cs-firewall-bouncer-1753174229 │ /v1/decisions/stream │ GET │ 99 │ ╰────────────────────────────────┴──────────────────────┴────────┴──────╯ ╭──────────────────────────────────────────────────────────────────────────────────╮ │ Local API Machines Metrics │ ├──────────────────────────────────────────────────┬───────────────┬────────┬──────┤ │ Machine │ Route │ Method │ Hits │ ├──────────────────────────────────────────────────┼───────────────┼────────┼──────┤ │ 70c9dafd5ebc491293af8bc152db1a8fXTjKXslmcMK1cFdM │ /v1/heartbeat │ GET │ 16 │ │ 70c9dafd5ebc491293af8bc152db1a8fXTjKXslmcMK1cFdM │ /v1/alerts │ GET │ 1 │ ╰──────────────────────────────────────────────────┴───────────────┴────────┴──────╯ ╭────────────────────────────────────────────────────────────╮ │ Parser Metrics │ ├─────────────────────────────────┬──────┬────────┬──────────┤ │ Parsers │ Hits │ Parsed │ Unparsed │ ├─────────────────────────────────┼──────┼────────┼──────────┤ │ child-crowdsecurity/syslog-logs │ 12 │ 12 │ - │ │ crowdsecurity/syslog-logs │ 12 │ 12 │ - │ ╰─────────────────────────────────┴──────┴────────┴──────────╯ It all looks good but when I list the decisions: ****@Jellyfin:/etc/crowdsec# cscli decisions list No active decisions All the parsers seem to be working correctly: ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── PARSERS ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Name 📦 Status Version Local Path ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── crowdsecurity/dateparse-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml crowdsecurity/geoip-enrich ✔️ enabled 0.5 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml crowdsecurity/public-dns-allowlist ✔️ enabled 0.1 /etc/crowdsec/parsers/s02-enrich/public-dns-allowlist.yaml crowdsecurity/sshd-logs ✔️ enabled 3.0 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml crowdsecurity/syslog-logs ✔️ enabled 0.8 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml crowdsecurity/whitelists ✔️ enabled 0.3 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml and the bouncers also: ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Name IP Address Valid Last API pull Type Version Auth Type ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── cs-firewall-bouncer-1753174229 127.0.0.1 ✔️ 2025-07-22T14:44:00Z crowdsec-firewall-bouncer v0.0.33-debian-pragmatic-amd64-cb8b3e3c654499f745ff487eb1c327d7234a533f api-key ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── The server is connected to the console: Security engine « Jellyfin Server » v1.6.10 OS:Ubuntu v24.04 IP:134.101.164.243 ID:70c9dafd5ebc491293af8bc152db1a8ffa04hltb8slqplbf Last activity: today at 10:51 AM Total traffic dropped (Last 7 Days) No traffic dropped found. crowdsecurity /cs-firewall-bouncer-1753174229 v0.0.33 Traffic dropped (last 7 days) No traffic dropped found. 0 source dropping traffic. 0 Blocklist CrowdSec Community Blocklist #(with green tick) 5 Scenarios ssh-bf ssh-cve-2024-6387 ssh-generic-test ssh-refused-conn ssh-slow-bf Log Processors ID:70c9dafd5ebc491293af8bc152db1a8fXTjKXslmcMK1cFdM v1.6.10 0 Alert On the same Proxmox server I have installed an nginx-Proxy Server with Crowdsec according to the description given by Zoey on the site: https://www.crowdsec.net/blog/web-server-security-with-npmplus-and-crowdsec and enrolled the server with the console and it immediately started counting alerts and attacks in the console: Security engine « Reverse Proxy Server » v1.6.10 OS:Alpine Linux (docker) v3.21.3 IP:134.101.164.243 ID:4cbe28ecf25a492a9e459af18bd94cf72ywqywswgxrthaak Last activity: today at 4:10 PM Total traffic dropped (Last 7 Days) 3.87k Requests crowdsecurity /npmplus v1.1.1 Traffic dropped (last 7 days)3.87k Requests 2 sources dropping traffic. 0 Blocklist CrowdSec Community Blocklist #(with green tick) 181 Scenarios #I won't list them all here Log processor ID: localhost v 1.6.10 380 alerts I am at a loss to know why my Jellyfin server is not generating decisions and nothing is showing up in the console. It may look like the server is newly added to the console but this is only because I deleted it and set it up several times to check if I was following the instructions correctly and completely but I always had the same result of no decisions and no alerts even after leaving the server up and running for several days. The config.yaml: common: daemonize: true log_media: file log_level: info log_dir: /var/log/ log_max_size: 20 compress_logs: true log_max_files: 10 config_paths: config_dir: /etc/crowdsec/ data_dir: /var/lib/crowdsec/data/ simulation_path: /etc/crowdsec/simula ├────────────────────────────────┼──────────────────────┼────────┼──────┤tion.yaml hub_dir: /etc/crowdsec/hub/ index_path: /etc/crowdsec/hub/.index.json notification_dir: /etc/crowdsec/notifications/ plugin_dir: /usr/lib/crowdsec/plugins/ crowdsec_service: #console_context_path: /etc/crowdsec/console/context.yaml acquisition_path: /etc/crowdsec/acquis.yaml acquisition_dir: /etc/crowdsec/acquis.d parser_routines: 1 cscli: output: human color: auto db_config: log_level: info type: sqlite db_path: /var/lib/crowdsec/data/crowdsec.db #max_open_conns: 100 #user: #password: #db_name: #host: #port: flush: max_items: 5000 max_age: 7d plugin_config: user: nobody # plugin process would be ran on behalf of this user group: nogroup # plugin process would be ran on behalf of this group api: client: insecure_skip_verify: false credentials_path: /etc/crowdsec/local_api_credentials.yaml server: log_level: info listen_uri: 127.0.0.1:8080 profiles_path: /etc/crowdsec/profiles.yaml console_path: /etc/crowdsec/console.yaml server: log_level: info listen_uri: 127.0.0.1:8080 profiles_path: /etc/crowdsec/profiles.yaml console_path: /etc/crowdsec/console.yaml online_client: # Central API credentials (to push signals and receive bad IPs) credentials_path: /etc/crowdsec/online_api_credentials.yaml trusted_ips: # IP ranges, or IPs which can have admin API access - 127.0.0.1 - ::1 # tls: # cert_file: /etc/crowdsec/ssl/cert.pem # key_file: /etc/crowdsec/ssl/key.pem prometheus: enabled: true level: full listen_addr: 127.0.0.1 listen_port: 6060 and acquis.yaml: Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log filenames: - /var/log/auth.log - /var/log/syslog labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog filenames: - /var/log/apache2/*.log labels: type: apache2 --- I hope that I have not missed out on any necessary information and I would be grateful for any assistance as to why no decisions seem to be made and I get no alerts on the console.