Skip to content
All Cheatsheets
crowdsec security

CrowdSec

The most important CrowdSec CLI commands for decisions, alerts, bouncers and more.

Docker Mode

Prepends docker exec <container> to all commands.

Decisions

List active decisions

cscli decisions list

Filter decisions by IP

cscli decisions list --ip <ip>

Ban an IP manually

cscli decisions add --ip <ip> --duration <duration> --reason "<reason>"

Ban an IP range

cscli decisions add --range <ip-range> --duration <duration> --reason "<reason>"

Remove a ban for an IP

cscli decisions delete --ip <ip>

Delete all decisions

cscli decisions delete --all

Alerts

List all alerts

cscli alerts list

Inspect alert details

cscli alerts inspect <id>

Filter alerts by IP

cscli alerts list --ip <ip>

Delete all alerts

cscli alerts delete --all

Bouncers

List all bouncers

cscli bouncers list

Add a bouncer

cscli bouncers add <bouncer-name>

Remove a bouncer

cscli bouncers delete <bouncer-name>

Collections & Scenarios

List installed collections

cscli collections list

Install a collection

cscli collections install crowdsecurity/nginx

Remove a collection

cscli collections remove crowdsecurity/nginx

Upgrade all collections

cscli hub update && cscli collections upgrade --all

List installed scenarios

cscli scenarios list

Install a scenario

cscli scenarios install crowdsecurity/ssh-bf

Parsers

List installed parsers

cscli parsers list

Install a parser

cscli parsers install crowdsecurity/sshd-logs

Hub

Update hub index

cscli hub update

Upgrade all installed items

cscli hub upgrade

Show hub status

cscli hub list

Metrics & Logs

Show metrics

cscli metrics

Show live logs

cscli logs

Follow CrowdSec log directly

tail -f /var/log/crowdsec.log

LAPI (Local API)

Check LAPI status

cscli lapi status

Register a machine

cscli machines add --auto

List all machines

cscli machines list

Remove a machine

cscli machines delete <hostname>
All Cheatsheets