From 461be2550282a7202285a64a544e6a6524f343aa Mon Sep 17 00:00:00 2001 From: Laurence Jones Date: Fri, 6 Oct 2023 13:28:05 +0100 Subject: [PATCH] Add some troubleshooting notes about SE (#387) * Add some troubleshooting notes about SE * Move info up to top of troubleshoot * Can also be IP not just port it cannot bind too * Add log locatons --- crowdsec-docs/docs/troubleshooting.md | 78 +++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/crowdsec-docs/docs/troubleshooting.md b/crowdsec-docs/docs/troubleshooting.md index 28579a28..5ffeeddd 100644 --- a/crowdsec-docs/docs/troubleshooting.md +++ b/crowdsec-docs/docs/troubleshooting.md @@ -59,6 +59,84 @@ Each Remediation Component has its own configuration file, which is located in t They all have an `api_url` option to set the local API URL. +## CrowdSec Log Location + +By default CrowdSec will log to the following locations depending on platform: + +- **Linux** `/var/log/crowdsec.log` +- **Freebsd** `/var/log/crowdsec.log` + - **Opnsense** `/var/log/crowdsec/crowdsec.log` + - **Pfsense** `/var/log/crowdsec/crowdsec.log` +- **Windows** `C:\Program Files\CrowdSec\logs\crowdsec.log` + +This is the default log location if you are using a third party integration they may change the log location. + +## CrowdSec doesn't start (common causes) + +:::info +If it's a configuration file issue, the error message may log in a different location. For example, if a parser/scenario file is invalid, the error message will be logged in `/var/log/crowdsec.log` but if `config.yaml` is invalid, the error message will be logged in syslog instead. +::: + +Here are some common causes and solutions: + +1. CrowdSec cannot bind to the configured port or IP + - **error** message might look like: +``` +level=fatal msg="while serving local API: listen tcp 127.0.0.1:8080: bind: address already in use" +``` + - **solution** verify another service is not already using the port. If it is, you can edit the `listen_uri` port in the configuration file `/etc/crowdsec/config.yaml` and update `/etc/crowdsec/local_api_credentials.yaml` to the same port. Then you can restart CrowdSec with `sudo systemctl restart crowdsec`. + +2. CrowdSec cannot authenticate to the local API + - **error** message might look like: +``` +level=fatal msg="starting outputs error : authenticate watcher (fcb7303c4df44c03ada289dd7ec3dbe7cU3GaseSWdqUaVg6): API error: ent: machine not found" +``` + - **solution** regenerate the credentials via [cscli machines](/docs/cscli/cscli_machines_add) command. If the local API is on the same machine you can run `sudo cscli machines add -a` (`-a` will automatically generate a random machine name and password). Then you can restart CrowdSec with `sudo systemctl restart crowdsec`. + +3. CrowdSec cannot connect to the local API + - **error** message might look like: +``` +level=error msg="error while performing request: dial tcp 127.0.0.1:8080: connect: connection refused; 4 retries left" +## There may be other variations of this error message just note if the message contains `connection refused` or `connection reset by peer` or `no such host` its likely a connection issue or configuration. +``` + - **solution** verify that the local API runs on the logged IP and port. If the logged IP and port is incorrect, you can update `/etc/crowdsec/local_api_credentials.yaml` to the correct IP and port (If local API is running on the same machine you can run `grep listen_uri /etc/crowdsec/config.yaml` to find it). Then you can restart CrowdSec with `sudo systemctl restart crowdsec`. If the logged IP and port is correct, verify that the local API is running via `sudo systemctl status crowdsec`. + +4. CrowdSec cannot start because of an invalid configuration file + + - **error** message might look like: +``` +level=fatal msg="/etc/crowdsec/config.yaml: yaml: unmarshal errors:\n line 1: field test not found in type csconfig.Config" +``` + - **solution** CrowdSec will inform you which field or line is invalid. You can edit the configuration file and fix the error. Then you can restart CrowdSec with `sudo systemctl restart crowdsec`. If you are unsure what the configuration file should look like you can find the default configuration files [here](https://github.com/crowdsecurity/crowdsec/tree/master/config) or examples via the [documentation](/docs/configuration/crowdsec_configuration). + +## How can I check to see if a service is already using a port? + +You can use the `netstat` command to check if a service is already using a port. + +For example, to check if a service is using port 8080: (Our default port for the local API) + +```bash +sudo netstat -tulpn | grep :8080 +``` + +## How can I check to see if the local API is running? + +You can use the `cscli lapi` command to check if the local API is running and is contactable. + +```bash +sudo cscli lapi status +``` + +## Where does CrowdSec store its data? + +CrowdSec stores its data in `/var/lib/crowdsec/data/` folder for UNIX and `C:\Program Files\CrowdSec\data\` for Windows. + +## Where does CrowdSec store its configuration files? + +CrowdSec stores configuration files in diffent folder dependins on platform: +- **Linux** `/etc/crowdsec/` +- **Freebsd** `/usr/local/etc/crowdsec/` +- **Windows** `C:\Program Files\CrowdSec\` ## My Remediaton Component doesn't start/work (common causes)