CrowdSec Starting and Stopping

[andyw]

After upgrading to 25.1.2 I have noticed that the CrowdSec service keeps starting and stopping within the dashboard. Has anyone else experienced this behaviour and is there a way to debug the issue?

[mmetc]

Hello,

the way to debug the issue is to look for the reason in /var/log/crowdsec/crowdsec.log

if you still don't see why it would restart, you can run "cscli support dump" and send the resulting file to support@crowdsec.net

[andyw]

Thanks mmetc

I can see quite a few failed/fatal messages in /var/log/crowdsec/crowdsec.log.

time="2025-03-06T09:18:32Z" level=error msg="Failed to load bucket crowdsecurity/opnsense_naxsi_waf_event: invalid bucket from /usr/local/etc/crowdsec/scenarios/scenario.yaml: filter is not allowed for IP scope"
time="2025-03-06T09:18:32Z" level=fatal msg="crowdsec init: while loading scenarios: scenario loading failed: loading of crowdsecurity/opnsense_naxsi_waf_event failed: invalid bucket from /usr/local/etc/crowdsec/scenarios/scenario.yaml: filter is not allowed for IP scope"

Is this an Opnsense issue or CrowdSec?

[mmetc]

Hi,

this is a custom scenario you made, so I can't exactly replicate. Can you send the content of scenario.yaml to support@crowdsec.net? Attaching the output of "cscli support dump" can help as well. Thanks!

[armdn]

I have the same problem.

Mine logs the same:
level=error msg="Failed to load bucket ls111/opnsense_naxsi_waf_event: invalid bucket from /usr/local/etc/crowdsec/scenarios/scenario.yaml: filter is not allowed for IP scope"
level=fatal msg="crowdsec init: while loading scenarios: scenario loading failed: loading of ls111/opnsense_naxsi_waf_event failed: invalid bucket from /usr/local/etc/crowdsec/scenarios/scenario.yaml: filter is not allowed for IP scope"

It seems this is the old config from ls111 (github) for NAXSI WAF integration.