chiefgeek/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62139b3377eb9ec24480930600c691f0225035c7
linux-scripts/crowdsec-decisions-exporter.sh
T
chiefgeek a1a17e81a1 Sync all scripts from website downloads — 352 scripts total 
Includes updated JS challenge scripts with Claude-User whitelist,
same-site referer bypass, Blackbox-Exporter allowed bot, and all
new exporters, cheat sheets, and automation scripts.
2026-05-25 03:31:08 +02:00

519 lines
17 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
################################################################################
# Script Name: crowdsec-decisions-exporter.sh
# Version: 1.0
# Description: Prometheus exporter for CrowdSec active decisions — detailed
# metrics on bans, captchas, scopes, origins, countries, and
# decision lifecycle timestamps
#
# Author: Phil Connor
# Contact: contact@mylinux.work
# Website: https://mylinux.work
# License: MIT
#
# Note: This exporter focuses exclusively on CrowdSec active decisions
# (bans/captchas). For general CrowdSec operational metrics (alerts,
# bouncers, machines, hub items), see crowdsec-exporter.sh.
#
# Prerequisites:
# - CrowdSec installed and running
# - cscli command available
# - jq for JSON parsing
# - Root/sudo access
# - netcat (nc) for HTTP mode
#
# Usage:
# # Output to stdout
# sudo ./crowdsec-decisions-exporter.sh
#
# # HTTP server mode
# sudo ./crowdsec-decisions-exporter.sh --http -p 9202
#
# # Textfile collector mode
# sudo ./crowdsec-decisions-exporter.sh --textfile
#
# Metrics Exported:
# - crowdsec_decisions_up - Exporter status (1=up, 0=down)
# - crowdsec_decisions_exporter_info{version} - Exporter version info
# - crowdsec_decisions_active_total - Total active decisions
# - crowdsec_decisions_active_by_type{type} - Active decisions by type
# - crowdsec_decisions_active_by_scope{scope} - Active decisions by scope
# - crowdsec_decisions_active_by_origin{origin} - Active decisions by origin
# - crowdsec_decisions_active_by_scenario{scenario} - Active decisions per scenario
# - crowdsec_decisions_active_by_country{country} - Active decisions per country (top 20)
# - crowdsec_decisions_oldest_timestamp - Oldest active decision timestamp
# - crowdsec_decisions_newest_timestamp - Newest active decision timestamp
# - crowdsec_decisions_expiring_1h - Decisions expiring within 1 hour
# - crowdsec_decisions_local_api_up - LAPI reachability (1/0)
# - crowdsec_decisions_exporter_duration_seconds - Script execution time
# - crowdsec_decisions_exporter_last_run_timestamp - Last run timestamp
#
# Configuration:
# Default HTTP port: 9202
# Textfile directory: /var/lib/node_exporter
#
################################################################################
# ============================================================================
# CONFIGURATION VARIABLES
# ============================================================================
TEXTFILE_DIR="/var/lib/node_exporter"
OUTPUT_FILE=""
HTTP_MODE=false
HTTP_PORT=9202
# ============================================================================
# HELPER FUNCTIONS
# ============================================================================
show_usage() {
cat <<EOF
Usage: $0 [OPTIONS]
Export CrowdSec active decision statistics as Prometheus metrics.
MODES:
--textfile Write to node_exporter textfile collector
--http Run HTTP server on port $HTTP_PORT
OPTIONS:
-p, --port HTTP port (default: 9202)
-o, --output Output file path
EXAMPLES:
sudo $0 --textfile # Write to textfile collector
sudo $0 --http --port 9202 # Run HTTP server
sudo $0 -o /tmp/crowdsec_decisions.prom # Write to custom file
NOTE:
This exporter focuses on active decisions (bans/captchas). For general
CrowdSec operational metrics, see crowdsec-exporter.sh.
EOF
exit 0
}
parse_args() {
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help) show_usage ;;
--textfile) OUTPUT_FILE="$TEXTFILE_DIR/crowdsec_decisions.prom"; shift ;;
--http) HTTP_MODE=true; shift ;;
-p|--port) HTTP_PORT="$2"; shift 2 ;;
-o|--output) OUTPUT_FILE="$2"; shift 2 ;;
*) echo "Unknown option: $1" >&2; exit 1 ;;
esac
done
}
# Check if CrowdSec is installed and responding
# Returns: 0 if OK, 1 if error
check_crowdsec() {
if ! command -v cscli >/dev/null 2>&1; then
echo "ERROR: cscli command not found" >&2
return 1
fi
if ! command -v jq >/dev/null 2>&1; then
echo "ERROR: jq not found (required for JSON parsing)" >&2
return 1
fi
return 0
}
# Escape special characters in Prometheus label values
# Args: $1 - string to escape
# Returns: escaped string safe for Prometheus labels
prom_escape() {
local val="$1"
val="${val//\\/\\\\}"
val="${val//\"/\\\"}"
val="${val//$'\n'/}"
echo "$val"
}
# Check LAPI health
# Returns: 1 if healthy, 0 if not
get_lapi_status() {
if cscli lapi status >/dev/null 2>&1; then
echo "1"
else
echo "0"
fi
}
# ============================================================================
# METRIC GENERATION
# ============================================================================
# Generate all Prometheus metrics
# Returns: Prometheus text format metrics on stdout
generate_metrics() {
local script_start
script_start=$(date +%s)
# Check CrowdSec status first
if ! check_crowdsec; then
cat <<EOF
# HELP crowdsec_decisions_up CrowdSec decisions exporter status
# TYPE crowdsec_decisions_up gauge
crowdsec_decisions_up 0
EOF
return
fi
cat <<EOF
# HELP crowdsec_decisions_up CrowdSec decisions exporter status
# TYPE crowdsec_decisions_up gauge
crowdsec_decisions_up 1
# HELP crowdsec_decisions_exporter_info Exporter version information
# TYPE crowdsec_decisions_exporter_info gauge
crowdsec_decisions_exporter_info{version="1.0"} 1
EOF
echo ""
# ========================================================================
# FETCH DECISIONS DATA
# ========================================================================
local decisions_json
decisions_json=$(cscli decisions list -o json 2>/dev/null)
# Handle "null" or empty output from cscli (means no active decisions)
local total_decisions=0
if [ -n "$decisions_json" ] && [ "$decisions_json" != "null" ]; then
total_decisions=$(echo "$decisions_json" | jq 'length' 2>/dev/null)
total_decisions=${total_decisions:-0}
fi
# ========================================================================
# ACTIVE DECISIONS TOTAL
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_active_total Total active decisions
# TYPE crowdsec_decisions_active_total gauge
crowdsec_decisions_active_total $total_decisions
EOF
echo ""
# ========================================================================
# DECISIONS BY TYPE (ban, captcha, throttle)
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_active_by_type Active decisions by type
# TYPE crowdsec_decisions_active_by_type gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
echo "$decisions_json" | jq -r '
group_by(.type) | .[] |
"\(.[0].type) \(length)"
' 2>/dev/null | while read -r dtype count; do
[ -z "$dtype" ] && continue
echo "crowdsec_decisions_active_by_type{type=\"$(prom_escape "$dtype")\"} $count"
done
fi
echo ""
# ========================================================================
# DECISIONS BY SCOPE (ip, range, country)
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_active_by_scope Active decisions by scope
# TYPE crowdsec_decisions_active_by_scope gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
echo "$decisions_json" | jq -r '
group_by(.scope) | .[] |
"\(.[0].scope) \(length)"
' 2>/dev/null | while read -r scope count; do
[ -z "$scope" ] && continue
echo "crowdsec_decisions_active_by_scope{scope=\"$(prom_escape "$scope")\"} $count"
done
fi
echo ""
# ========================================================================
# DECISIONS BY ORIGIN (cscli, crowdsec, CAPI)
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_active_by_origin Active decisions by origin
# TYPE crowdsec_decisions_active_by_origin gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
echo "$decisions_json" | jq -r '
group_by(.origin) | .[] |
"\(.[0].origin) \(length)"
' 2>/dev/null | while read -r origin count; do
[ -z "$origin" ] && continue
echo "crowdsec_decisions_active_by_origin{origin=\"$(prom_escape "$origin")\"} $count"
done
fi
echo ""
# ========================================================================
# DECISIONS BY SCENARIO (top scenarios)
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_active_by_scenario Active decisions per scenario
# TYPE crowdsec_decisions_active_by_scenario gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
echo "$decisions_json" | jq -r '
group_by(.scenario) | map({scenario: .[0].scenario, count: length}) |
sort_by(-.count) | .[] |
"\(.scenario) \(.count)"
' 2>/dev/null | while read -r scenario count; do
[ -z "$scenario" ] && continue
echo "crowdsec_decisions_active_by_scenario{scenario=\"$(prom_escape "$scenario")\"} $count"
done
fi
echo ""
# ========================================================================
# DECISIONS BY COUNTRY (top 20)
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_active_by_country Active decisions per country code (top 20)
# TYPE crowdsec_decisions_active_by_country gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
echo "$decisions_json" | jq -r '
[.[] | select(.scope == "Country" or .scope == "country")] |
if length > 0 then
group_by(.value) | map({country: .[0].value, count: length}) |
sort_by(-.count) | .[0:20] | .[] |
"\(.country) \(.count)"
else
empty
end
' 2>/dev/null | while read -r country count; do
[ -z "$country" ] && continue
echo "crowdsec_decisions_active_by_country{country=\"$(prom_escape "$country")\"} $count"
done
fi
echo ""
# ========================================================================
# DECISION TIMESTAMPS (oldest and newest)
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_oldest_timestamp Unix timestamp of oldest active decision
# TYPE crowdsec_decisions_oldest_timestamp gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
local oldest_ts
oldest_ts=$(echo "$decisions_json" | jq -r '[.[].created_at] | sort | first // empty' 2>/dev/null)
if [ -n "$oldest_ts" ]; then
local oldest_unix
oldest_unix=$(date -d "$oldest_ts" +%s 2>/dev/null || echo "0")
echo "crowdsec_decisions_oldest_timestamp $oldest_unix"
else
echo "crowdsec_decisions_oldest_timestamp 0"
fi
else
echo "crowdsec_decisions_oldest_timestamp 0"
fi
echo ""
cat <<EOF
# HELP crowdsec_decisions_newest_timestamp Unix timestamp of newest active decision
# TYPE crowdsec_decisions_newest_timestamp gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
local newest_ts
newest_ts=$(echo "$decisions_json" | jq -r '[.[].created_at] | sort | last // empty' 2>/dev/null)
if [ -n "$newest_ts" ]; then
local newest_unix
newest_unix=$(date -d "$newest_ts" +%s 2>/dev/null || echo "0")
echo "crowdsec_decisions_newest_timestamp $newest_unix"
else
echo "crowdsec_decisions_newest_timestamp 0"
fi
else
echo "crowdsec_decisions_newest_timestamp 0"
fi
echo ""
# ========================================================================
# DECISIONS EXPIRING WITHIN 1 HOUR
# ========================================================================
cat <<EOF
# HELP crowdsec_decisions_expiring_1h Decisions expiring within 1 hour
# TYPE crowdsec_decisions_expiring_1h gauge
EOF
if [ "$total_decisions" -gt 0 ] 2>/dev/null; then
local now_epoch cutoff_epoch expiring_count
now_epoch=$(date +%s)
cutoff_epoch=$((now_epoch + 3600))
expiring_count=$(echo "$decisions_json" | jq --arg now "$now_epoch" --arg cutoff "$cutoff_epoch" '
[.[] | select(.until != null) |
(.until | sub("\\.[0-9]+.*$"; "Z") | fromdateiso8601) as $exp |
select($exp > ($now | tonumber) and $exp <= ($cutoff | tonumber))
] | length
' 2>/dev/null)
echo "crowdsec_decisions_expiring_1h ${expiring_count:-0}"
else
echo "crowdsec_decisions_expiring_1h 0"
fi
echo ""
# ========================================================================
# LAPI HEALTH
# ========================================================================
local lapi_status
lapi_status=$(get_lapi_status)
cat <<EOF
# HELP crowdsec_decisions_local_api_up LAPI health status (1=healthy, 0=unhealthy)
# TYPE crowdsec_decisions_local_api_up gauge
crowdsec_decisions_local_api_up $lapi_status
EOF
echo ""
# ========================================================================
# EXPORTER RUNTIME
# ========================================================================
local script_end script_duration
script_end=$(date +%s)
script_duration=$((script_end - script_start))
cat <<EOF
# HELP crowdsec_decisions_exporter_duration_seconds Time to generate all metrics
# TYPE crowdsec_decisions_exporter_duration_seconds gauge
crowdsec_decisions_exporter_duration_seconds $script_duration
# HELP crowdsec_decisions_exporter_last_run_timestamp Unix timestamp of last successful run
# TYPE crowdsec_decisions_exporter_last_run_timestamp gauge
crowdsec_decisions_exporter_last_run_timestamp $script_end
EOF
echo ""
}
# ============================================================================
# HTTP SERVER MODE
# ============================================================================
# Run simple HTTP server using netcat
# Serves metrics on /metrics endpoint
run_http_server() {
echo "Starting CrowdSec decisions exporter on port $HTTP_PORT..." >&2
if ! command -v nc >/dev/null 2>&1; then
echo "ERROR: netcat (nc) required for HTTP mode" >&2
exit 1
fi
# Infinite loop accepting HTTP requests
while true; do
{
read -r request
# Check if request is for /metrics endpoint
if [[ "$request" =~ ^GET\ /metrics ]]; then
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r"
generate_metrics
else # Serve HTML landing page for other requests
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r"
cat <<EOF
<!DOCTYPE html>
<html>
<head><title>CrowdSec Decisions Exporter v1.0</title></head>
<body>
<h1>CrowdSec Decisions Prometheus Exporter v1.0</h1>
<p><a href="/metrics">Metrics</a></p>
<p>Active decision metrics from cscli decisions list.</p>
<p>For general CrowdSec operational metrics, see crowdsec-exporter.sh.</p>
</body>
</html>
EOF
fi
} | nc -l -p "$HTTP_PORT" -q 1 2>/dev/null
done
}
# ============================================================================
# MAIN EXECUTION
# ============================================================================
# Main entry point - routes to appropriate output mode
main() {
parse_args "$@"
if [ "$HTTP_MODE" = true ]; then
# Run HTTP server (blocks until killed)
run_http_server
elif [ -n "$OUTPUT_FILE" ]; then
# Textfile collector mode: write atomically using temp file
local output_dir
output_dir="$(dirname "$OUTPUT_FILE")"
mkdir -p "$output_dir"
# Create temp file in SAME directory for atomic rename (same filesystem)
local temp_file
temp_file=$(mktemp "${output_dir}/.crowdsec_decisions_metrics.XXXXXX")
# Generate metrics to temp file
if ! generate_metrics > "$temp_file" 2>/dev/null; then
rm -f "$temp_file"
echo "ERROR: Failed to generate metrics" >&2
exit 1
fi
# Validate: file must exist, have content
local file_lines
file_lines=$(wc -l < "$temp_file" 2>/dev/null || echo 0)
if [ "$file_lines" -lt 10 ]; then
rm -f "$temp_file"
echo "ERROR: Metrics file too small ($file_lines lines), keeping previous" >&2
exit 1
fi
# Set permissions before move
chmod 644 "$temp_file"
# Atomic rename - no gap where file is missing
mv -f "$temp_file" "$OUTPUT_FILE"
echo "Metrics written to $OUTPUT_FILE ($file_lines lines)" >&2
else
# Default: output to stdout
generate_metrics
fi
}
# Execute main function with all script arguments
main "$@"
Reference in New Issue View Git Blame Copy Permalink