#!/bin/bash ################################################################################ # Script Name: crowdsec-decisions-exporter.sh # Version: 1.0 # Description: Prometheus exporter for CrowdSec active decisions — detailed # metrics on bans, captchas, scopes, origins, countries, and # decision lifecycle timestamps # # Author: Phil Connor # Contact: contact@mylinux.work # Website: https://mylinux.work # License: MIT # # Note: This exporter focuses exclusively on CrowdSec active decisions # (bans/captchas). For general CrowdSec operational metrics (alerts, # bouncers, machines, hub items), see crowdsec-exporter.sh. # # Prerequisites: # - CrowdSec installed and running # - cscli command available # - jq for JSON parsing # - Root/sudo access # - netcat (nc) for HTTP mode # # Usage: # # Output to stdout # sudo ./crowdsec-decisions-exporter.sh # # # HTTP server mode # sudo ./crowdsec-decisions-exporter.sh --http -p 9202 # # # Textfile collector mode # sudo ./crowdsec-decisions-exporter.sh --textfile # # Metrics Exported: # - crowdsec_decisions_up - Exporter status (1=up, 0=down) # - crowdsec_decisions_exporter_info{version} - Exporter version info # - crowdsec_decisions_active_total - Total active decisions # - crowdsec_decisions_active_by_type{type} - Active decisions by type # - crowdsec_decisions_active_by_scope{scope} - Active decisions by scope # - crowdsec_decisions_active_by_origin{origin} - Active decisions by origin # - crowdsec_decisions_active_by_scenario{scenario} - Active decisions per scenario # - crowdsec_decisions_active_by_country{country} - Active decisions per country (top 20) # - crowdsec_decisions_oldest_timestamp - Oldest active decision timestamp # - crowdsec_decisions_newest_timestamp - Newest active decision timestamp # - crowdsec_decisions_expiring_1h - Decisions expiring within 1 hour # - crowdsec_decisions_local_api_up - LAPI reachability (1/0) # - crowdsec_decisions_exporter_duration_seconds - Script execution time # - crowdsec_decisions_exporter_last_run_timestamp - Last run timestamp # # Configuration: # Default HTTP port: 9202 # Textfile directory: /var/lib/node_exporter # ################################################################################ # ============================================================================ # CONFIGURATION VARIABLES # ============================================================================ TEXTFILE_DIR="/var/lib/node_exporter" OUTPUT_FILE="" HTTP_MODE=false HTTP_PORT=9202 # ============================================================================ # HELPER FUNCTIONS # ============================================================================ show_usage() { cat <&2; exit 1 ;; esac done } # Check if CrowdSec is installed and responding # Returns: 0 if OK, 1 if error check_crowdsec() { if ! command -v cscli >/dev/null 2>&1; then echo "ERROR: cscli command not found" >&2 return 1 fi if ! command -v jq >/dev/null 2>&1; then echo "ERROR: jq not found (required for JSON parsing)" >&2 return 1 fi return 0 } # Escape special characters in Prometheus label values # Args: $1 - string to escape # Returns: escaped string safe for Prometheus labels prom_escape() { local val="$1" val="${val//\\/\\\\}" val="${val//\"/\\\"}" val="${val//$'\n'/}" echo "$val" } # Check LAPI health # Returns: 1 if healthy, 0 if not get_lapi_status() { if cscli lapi status >/dev/null 2>&1; then echo "1" else echo "0" fi } # ============================================================================ # METRIC GENERATION # ============================================================================ # Generate all Prometheus metrics # Returns: Prometheus text format metrics on stdout generate_metrics() { local script_start script_start=$(date +%s) # Check CrowdSec status first if ! check_crowdsec; then cat </dev/null) # Handle "null" or empty output from cscli (means no active decisions) local total_decisions=0 if [ -n "$decisions_json" ] && [ "$decisions_json" != "null" ]; then total_decisions=$(echo "$decisions_json" | jq 'length' 2>/dev/null) total_decisions=${total_decisions:-0} fi # ======================================================================== # ACTIVE DECISIONS TOTAL # ======================================================================== cat </dev/null; then echo "$decisions_json" | jq -r ' group_by(.type) | .[] | "\(.[0].type) \(length)" ' 2>/dev/null | while read -r dtype count; do [ -z "$dtype" ] && continue echo "crowdsec_decisions_active_by_type{type=\"$(prom_escape "$dtype")\"} $count" done fi echo "" # ======================================================================== # DECISIONS BY SCOPE (ip, range, country) # ======================================================================== cat </dev/null; then echo "$decisions_json" | jq -r ' group_by(.scope) | .[] | "\(.[0].scope) \(length)" ' 2>/dev/null | while read -r scope count; do [ -z "$scope" ] && continue echo "crowdsec_decisions_active_by_scope{scope=\"$(prom_escape "$scope")\"} $count" done fi echo "" # ======================================================================== # DECISIONS BY ORIGIN (cscli, crowdsec, CAPI) # ======================================================================== cat </dev/null; then echo "$decisions_json" | jq -r ' group_by(.origin) | .[] | "\(.[0].origin) \(length)" ' 2>/dev/null | while read -r origin count; do [ -z "$origin" ] && continue echo "crowdsec_decisions_active_by_origin{origin=\"$(prom_escape "$origin")\"} $count" done fi echo "" # ======================================================================== # DECISIONS BY SCENARIO (top scenarios) # ======================================================================== cat </dev/null; then echo "$decisions_json" | jq -r ' group_by(.scenario) | map({scenario: .[0].scenario, count: length}) | sort_by(-.count) | .[] | "\(.scenario) \(.count)" ' 2>/dev/null | while read -r scenario count; do [ -z "$scenario" ] && continue echo "crowdsec_decisions_active_by_scenario{scenario=\"$(prom_escape "$scenario")\"} $count" done fi echo "" # ======================================================================== # DECISIONS BY COUNTRY (top 20) # ======================================================================== cat </dev/null; then echo "$decisions_json" | jq -r ' [.[] | select(.scope == "Country" or .scope == "country")] | if length > 0 then group_by(.value) | map({country: .[0].value, count: length}) | sort_by(-.count) | .[0:20] | .[] | "\(.country) \(.count)" else empty end ' 2>/dev/null | while read -r country count; do [ -z "$country" ] && continue echo "crowdsec_decisions_active_by_country{country=\"$(prom_escape "$country")\"} $count" done fi echo "" # ======================================================================== # DECISION TIMESTAMPS (oldest and newest) # ======================================================================== cat </dev/null; then local oldest_ts oldest_ts=$(echo "$decisions_json" | jq -r '[.[].created_at] | sort | first // empty' 2>/dev/null) if [ -n "$oldest_ts" ]; then local oldest_unix oldest_unix=$(date -d "$oldest_ts" +%s 2>/dev/null || echo "0") echo "crowdsec_decisions_oldest_timestamp $oldest_unix" else echo "crowdsec_decisions_oldest_timestamp 0" fi else echo "crowdsec_decisions_oldest_timestamp 0" fi echo "" cat </dev/null; then local newest_ts newest_ts=$(echo "$decisions_json" | jq -r '[.[].created_at] | sort | last // empty' 2>/dev/null) if [ -n "$newest_ts" ]; then local newest_unix newest_unix=$(date -d "$newest_ts" +%s 2>/dev/null || echo "0") echo "crowdsec_decisions_newest_timestamp $newest_unix" else echo "crowdsec_decisions_newest_timestamp 0" fi else echo "crowdsec_decisions_newest_timestamp 0" fi echo "" # ======================================================================== # DECISIONS EXPIRING WITHIN 1 HOUR # ======================================================================== cat </dev/null; then local now_epoch cutoff_epoch expiring_count now_epoch=$(date +%s) cutoff_epoch=$((now_epoch + 3600)) expiring_count=$(echo "$decisions_json" | jq --arg now "$now_epoch" --arg cutoff "$cutoff_epoch" ' [.[] | select(.until != null) | (.until | sub("\\.[0-9]+.*$"; "Z") | fromdateiso8601) as $exp | select($exp > ($now | tonumber) and $exp <= ($cutoff | tonumber)) ] | length ' 2>/dev/null) echo "crowdsec_decisions_expiring_1h ${expiring_count:-0}" else echo "crowdsec_decisions_expiring_1h 0" fi echo "" # ======================================================================== # LAPI HEALTH # ======================================================================== local lapi_status lapi_status=$(get_lapi_status) cat <&2 if ! command -v nc >/dev/null 2>&1; then echo "ERROR: netcat (nc) required for HTTP mode" >&2 exit 1 fi # Infinite loop accepting HTTP requests while true; do { read -r request # Check if request is for /metrics endpoint if [[ "$request" =~ ^GET\ /metrics ]]; then echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r" generate_metrics else # Serve HTML landing page for other requests echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r" cat < CrowdSec Decisions Exporter v1.0

CrowdSec Decisions Prometheus Exporter v1.0

Metrics

Active decision metrics from cscli decisions list.

For general CrowdSec operational metrics, see crowdsec-exporter.sh.

EOF fi } | nc -l -p "$HTTP_PORT" -q 1 2>/dev/null done } # ============================================================================ # MAIN EXECUTION # ============================================================================ # Main entry point - routes to appropriate output mode main() { parse_args "$@" if [ "$HTTP_MODE" = true ]; then # Run HTTP server (blocks until killed) run_http_server elif [ -n "$OUTPUT_FILE" ]; then # Textfile collector mode: write atomically using temp file local output_dir output_dir="$(dirname "$OUTPUT_FILE")" mkdir -p "$output_dir" # Create temp file in SAME directory for atomic rename (same filesystem) local temp_file temp_file=$(mktemp "${output_dir}/.crowdsec_decisions_metrics.XXXXXX") # Generate metrics to temp file if ! generate_metrics > "$temp_file" 2>/dev/null; then rm -f "$temp_file" echo "ERROR: Failed to generate metrics" >&2 exit 1 fi # Validate: file must exist, have content local file_lines file_lines=$(wc -l < "$temp_file" 2>/dev/null || echo 0) if [ "$file_lines" -lt 10 ]; then rm -f "$temp_file" echo "ERROR: Metrics file too small ($file_lines lines), keeping previous" >&2 exit 1 fi # Set permissions before move chmod 644 "$temp_file" # Atomic rename - no gap where file is missing mv -f "$temp_file" "$OUTPUT_FILE" echo "Metrics written to $OUTPUT_FILE ($file_lines lines)" >&2 else # Default: output to stdout generate_metrics fi } # Execute main function with all script arguments main "$@"