Skip to content

cscli metrics segfault when db_config is absent #4450

Closed
#4451
Closed
cscli metrics segfault when db_config is absent#4450
#4451
Labels
kind/bugSomething isn't workingneeds/triageos/linuxversion/1.7.7
@dani

Description

@dani
dani
opened on May 4, 2026

What happened?

I'm running a multi-server setup, with dedicated log-processor nodes. As those nodes have no access to the database (local-api is using postgres), I've omited the db_config entirely from the config of the log-processor.
Everything seems to work fine, but I can't execute cscli metrics on those nodes, it immediatly segfault

/ $ cscli metrics
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0xb0 pc=0x117caa8]

goroutine 1 [running]:
github.com/crowdsecurity/crowdsec/pkg/csconfig.(*DatabaseCfg).NewLogger(...)
	github.com/crowdsecurity/crowdsec/pkg/csconfig/database.go:52
github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/core/require.DBClient({0x2fecf10, 0xc0004da3c0}, 0x0)
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/core/require/require.go:84 +0x28
github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics.(*cliMetrics).show(0x0?, {0x2fecf10, 0xc0004da3c0}, {0x0, 0x0, 0x0}, {0x0, 0x0}, 0x0)
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics/show.go:41 +0x6dc
github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics.(*cliMetrics).NewCommand.func1(0xc00058f000?, {0xc000321180?, 0x4?, 0x2b3eafa?})
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics/metrics.go:41 +0x45
github.com/spf13/cobra.(*Command).execute(0xc0003c7208, {0xc000321160, 0x2, 0x2})
	github.com/spf13/cobra@v1.10.1/command.go:1015 +0xb02
github.com/spf13/cobra.(*Command).ExecuteC(0xc000377b08)
	github.com/spf13/cobra@v1.10.1/command.go:1148 +0x465
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/cobra@v1.10.1/command.go:1071
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	github.com/spf13/cobra@v1.10.1/command.go:1064
main.mainWrap()
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/main.go:337 +0x110
main.main()
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/main.go:353 +0x13

Adding a dummy db_config like this, and cscli metrics works

db_config:
  log_level: info
  type: sqlite
  db_path: /tmp/crowdsec.sqlite

What did you expect to happen?

cscli metrics should work even without database config, as log-processor nodes shouldn't need an access to any database

How can we reproduce it (as minimally and precisely as possible)?

With this config

---

common:
  daemonize: false
  log_media: stdout

config_paths:
  data_dir: /local/data
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /local/hub
  index_path: /local/hub/.index.json
  notification_dir: /etc/crowdsec/notifications
  plugin_dir: /usr/local/lib/crowdsec/plugins
  pattern_dir: /etc/crowdsec/patterns

cscli:
  output: human

crowdsec_service:
  enable: true
  acquisition_path: /secrets/acquis.yaml

api:
  server:
    enable: false
  client:
    insecure_skip_verify: false
    credentials_path: /secrets/local_api_creds.yaml

prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060

Anything else we need to know?

No response

Crowdsec version

Details 
version: v1.7.7-027974f2
Codename: alphaga
BuildDate: 2026-03-30_13:05:14
GoVersion: 1.25.1
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.7.7-027974f2-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog, db_mysql, db_postgres, db_sqlite

OS version

Details 
# On Linux:
$ cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.23.4
PRETTY_NAME="Alpine Linux v3.23"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

$ uname -a
5.14.0-611.49.1.el9_7.x86_64

Enabled collections and parsers

Details 
$ cscli hub list -o raw
firewallservices/pf is tainted by parsers:firewallservices/pf-logs
crowdsecurity/opnsense is tainted by collections:firewallservices/pf
crowdsecurity/traefik is tainted by parsers:crowdsecurity/traefik-logs
crowdsecurity/nginx is tainted by parsers:crowdsecurity/nginx-logs
Loaded: 165 parsers, 11 postoverflows, 781 scenarios, 9 contexts, 5 appsec-configs, 211 appsec-rules, 163 collections
Unmanaged items: 4 local, 12 tainted
name,status,version,description,type
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nginx-logs,"enabled,tainted",?,Parse nginx access and error logs,parsers
crowdsecurity/opnsense-gui-logs,enabled,0.1,Parse OPNSense web auth logs,parsers
crowdsecurity/pgsql-logs,enabled,0.7,Parse PgSQL logs,parsers
crowdsecurity/postfix-logs,enabled,0.9,Parse postfix logs,parsers
crowdsecurity/postscreen-logs,enabled,0.3,Parse postscreen logs,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.1,Parse openSSH logs,parsers
crowdsecurity/sshd-success-logs,enabled,0.1,Parse successful ssh logins,parsers
crowdsecurity/syslog-logs,enabled,1.0,,parsers
crowdsecurity/traefik-logs,"enabled,tainted",?,Parse Traefik access logs,parsers
dani/zimbra-logs,"enabled,local",,,parsers
dbd/http-vector,"enabled,local",,,parsers
Dominic-Wagner/vaultwarden-logs,enabled,0.4,Parse vaultwarden logs,parsers
firewallservices/lemonldap-ng,enabled,0.1,Parse Lemonldap::NG logs,parsers
firewallservices/pf-logs,"enabled,tainted",?,Parse packet filter logs,parsers
crowdsecurity/cdn-whitelist,enabled,0.5,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.7,Detect cve-2021-44228 exploitation attempts,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.4,Confluence - RCE (CVE-2022-26134),scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.3,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.3,F5 BIG-IP TMUI - RCE (CVE-2020-5902),scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.4,Detect cve-2018-13379 exploitation attempts,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.3,Grafana - Arbitrary File Read (CVE-2021-43798),scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.5,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-bf-wordpress_bf,enabled,0.7,Detect WordPress bruteforce on admin interface,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.6,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-dos-bypass-cache,enabled,0.5,Detect DoS tools bypassing cache every request,scenarios
crowdsecurity/http-dos-invalid-http-versions,enabled,0.7,Detect DoS tools using invalid HTTP versions,scenarios
crowdsecurity/http-dos-random-uri,enabled,0.4,Detect DoS tools using random uri,scenarios
crowdsecurity/http-dos-switching-ua,enabled,0.5,Detect DoS tools switching user-agent too fast,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: basic HTTP trigger,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sap-interface-probing,enabled,0.1,Detect generic HTTP SAP interface probing,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.4,Detect exploitation attempts against common WordPress endpoints,scenarios
crowdsecurity/http-wordpress_user-enum,enabled,0.3,Detect WordPress probing: authors enumeration,scenarios
crowdsecurity/http-wordpress_wpconfig,enabled,0.3,Detect WordPress probing: variations around wp-config.php by wpscan,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.4,Detect Atlassian Jira CVE-2021-26086 exploitation attempts,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/opnsense-gui-bf,enabled,0.3,Detect bruteforce on opnsense web interface,scenarios
crowdsecurity/pgsql-bf,enabled,0.2,Detect PgSQL bruteforce,scenarios
crowdsecurity/postfix-helo-rejected,enabled,0.1,Detect HELO rejections,scenarios
crowdsecurity/postfix-non-smtp-command,enabled,0.1,Detect scanning of postfix service through non-SMTP commands,scenarios
crowdsecurity/postfix-relay-denied,enabled,0.1,Detect multiple open relay attempts,scenarios
crowdsecurity/postfix-spam,enabled,0.4,Detect spammers,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.4,Detect cve-2019-11510 exploitation attempts,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/ssh-time-based-bf,enabled,0.2,Detect time-based ssh bruteforce attempts that evade rate limiting (with false positive reduction),scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.7,Detect ThinkPHP CVE-2018-20062 exploitation attempts,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.3,Detect VMSA-2021-0027 exploitation attempts,scenarios
dani/zimbra-bf,"enabled,local",,,scenarios
dani/zimbra-user-enum,"enabled,local",,,scenarios
Dominic-Wagner/vaultwarden-bf,enabled,0.3,Detect vaultwarden bruteforce,scenarios
firewallservices/lemonldap-ng-bf,enabled,0.2,Detect Lemonldap::NG bruteforce,scenarios
firewallservices/pf-scan-multi_ports,enabled,0.5,Detect aggressive portscans (pf),scenarios
ltsich/http-w00tw00t,enabled,0.3,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/firewall_base,enabled,0.2,,contexts
crowdsecurity/http_base,enabled,0.3,,contexts
crowdsecurity/base-http-scenarios,enabled,1.3,http common : scanners detection,collections
crowdsecurity/freebsd,enabled,0.5,core freebsd support : syslog+geoip+ssh,collections
crowdsecurity/http-cve,enabled,3.0,Detect CVE exploitation in http logs,collections
crowdsecurity/http-dos,enabled,0.3,,collections
crowdsecurity/nginx,"enabled,tainted",0.3,nginx support : parser and generic http scenarios,collections
crowdsecurity/opnsense,"enabled,tainted",0.5,core opnsense support,collections
crowdsecurity/opnsense-gui,enabled,0.2,OPNSense web authentication support,collections
crowdsecurity/pgsql,enabled,0.2,postgres support : logs and brute-force scenarios,collections
crowdsecurity/postfix,enabled,0.5,postfix support : parser and spammer detection,collections
crowdsecurity/sshd,enabled,0.9,sshd support : parser and brute-force detection,collections
crowdsecurity/traefik,"enabled,tainted",0.2,traefik support: parser and generic http scenarios,collections
crowdsecurity/whitelist-good-actors,enabled,0.3,Good actors whitelists,collections
crowdsecurity/wordpress,enabled,0.6,wordpress: Bruteforce protection and config probing,collections
Dominic-Wagner/vaultwarden,enabled,0.1,Vaultwarden support : parser and brute-force detection,collections
firewallservices/lemonldap-ng,enabled,0.2,Lemonldap::NG support : parser and brutefurce detection,collections
firewallservices/pf,"enabled,tainted",0.3,Parser and scenario for Packet Filter logs,collections

Acquisition config

Details 
# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
---
source: http
listen_addr: 127.0.0.1:8856
path: /jsonlog
auth_type: headers
headers:
  X-Crowdsec-Auth: ${CS_HTTP_HEADER_AUTH}
max_body_size: 524288
timeout: 5s
labels:
  type: http
use_time_machine: true

Config show

Details 
$ cscli config show
Global:
   - Configuration Folder   : /secrets
   - Data Folder            : /local/data
   - Hub Folder             : /local/hub
   - Notification Folder    : /etc/crowdsec/notifications
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : 
   - Log level              : panic
   - Log Media              : stdout
Crowdsec:
  - Acquisition File        : /secrets/acquis.yaml
  - Parsers routines        : 0
cscli:
  - Output                  : human
  - Hub Branch              : 
API Client:
  - URL                     : http://127.0.0.1:8855/
  - Login                   : log-processor
  - Credentials File        : /secrets/local_api_creds.yaml
Local API Server (disabled):
  - Listen URL              : 
  - Listen Socket           : 
  - Profile File            : 

  - Trusted IPs:

Prometheus metrics

Details 
$ cscli metrics
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0xb0 pc=0x117caa8]

goroutine 1 [running]:
github.com/crowdsecurity/crowdsec/pkg/csconfig.(*DatabaseCfg).NewLogger(...)
	github.com/crowdsecurity/crowdsec/pkg/csconfig/database.go:52
github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/core/require.DBClient({0x2fecf10, 0xc0006d76c0}, 0x0)
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/core/require/require.go:84 +0x28
github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics.(*cliMetrics).show(0x0?, {0x2fecf10, 0xc0006d76c0}, {0x0, 0x0, 0x0}, {0x0, 0x0}, 0x0)
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics/show.go:41 +0x6dc
github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics.(*cliMetrics).NewCommand.func1(0xc00075eb00?, {0xc000824b60?, 0x4?, 0x2b3eafa?})
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/climetrics/metrics.go:41 +0x45
github.com/spf13/cobra.(*Command).execute(0xc000766f08, {0xc000824b40, 0x2, 0x2})
	github.com/spf13/cobra@v1.10.1/command.go:1015 +0xb02
github.com/spf13/cobra.(*Command).ExecuteC(0xc000710008)
	github.com/spf13/cobra@v1.10.1/command.go:1148 +0x465
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/cobra@v1.10.1/command.go:1071
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	github.com/spf13/cobra@v1.10.1/command.go:1064
main.mainWrap()
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/main.go:337 +0x110
main.main()
	github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/main.go:353 +0x13

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't workingneeds/triageos/linuxversion/1.7.7

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions