crowdsec
crowdsec copied to clipboard
Published
20 hours ago •
crowdsecurity
crowdsecurity
High CPU usage on Docker
What happened?
Docker crowdsec container is using high CPU usage (50-100%)
What did you expect to happen?
Not have high CPU usage
How can we reproduce it (as minimally and precisely as possible)?
##~~~~~~~~##
##Crowdsec##
##~~~~~~~~##
# CrowdSec - Open-source & collaborative security IPS
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: Crowdsec
hostname: Crowsec
networks:
pihole:
ipv4_address: '172.22.0.126'
ports:
- "19818:8080"
- "16934:6060"
environment:
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/nginx crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/sshd Dominic-Wagner/vaultwarden LePresidente/authelia"
DISABLE_COLLECTIONS: "schiz0phr3ne/radarr schiz0phr3ne/sonarr crowdsecurity/mariadb crowdsecurity/mysql crowdsecurity/linux-lpe"
GID: "${GID-1000}"
CUSTOM_HOSTNAME: HDA-Docker
TZ: "$TZ"
# LEVEL_TRACE: "true" # Trace-level (VERY verbose) on stdout (default: false)
# LEVEL_DEBUG: "true" # Debug-level on stdout (default: false)
# LEVEL_INFO: "true" # Info-level on stdout (default: false)
volumes:
- $USERDIR/Crowdsec/data:/var/lib/crowdsec/data
- $USERDIR/Crowdsec/config:/etc/crowdsec
- $USERDIR/Traefik/logs:/logs/traefik/:ro
- $USERDIR/Authelia/logs:/logs/authelia/:ro
- $USERDIR/Bitwarden/Logs:/logs/vaultwarden/:ro
- $USERDIR/Bookstack/log/nginx/:/logs/bookstack/:ro
- $USERDIR/Xbackbone/log/nginx/:/logs/xbackbone/:ro
- /var/log:/var/log:ro
# - /var/run/docker.sock:/var/run/docker.sock:ro # for docker data source (https://docs.crowdsec.net/docs/data_sources/docker/)
labels:
## Homepage
- homepage.name=Crowdsec
- homepage.group=System
- homepage.icon=crowdsec
- homepage.href=https://app.crowdsec.net/security-engines
logging:
driver: "local"
options:
max-size: 10m
max-file: "3"
restart: always
mem_limit: 5000m
mem_reservation: 250m
depends_on:
- traefik
# CrowdSec Bouncer - Traefik
traefik-bouncer:
image: fbonalair/traefik-crowdsec-bouncer
container_name: Crowdsec-Traefik-Bouncer
networks:
pihole:
ipv4_address: '172.22.0.127'
environment:
- GIN_MODE=debug # default is debug (more logs)
- CROWDSEC_BOUNCER_API_KEY=$CROWDSEC_BOUNCER_TRAEFIK_API_KEY # sudo docker exec crowdsec cscli bouncers add traefik-bouncer
- CROWDSEC_AGENT_HOST=crowdsec:8080 # CrowdSec host and port
- CROWDSEC_BOUNCER_LOG_LEVEL=1 # 1 INFO 2 WARN https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging
security_opt:
- no-new-privileges:true
logging:
driver: "local"
options:
max-size: 10m
max-file: "3"
restart: always
mem_limit: 200m
mem_reservation: 50m
depends_on:
- crowdsec
# CrowdSec Bouncer - Cloudflare
# sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer
# Set max ip number right the first time (max 10000). Recreating container deletes all ips and readds them causing cloudflare 429 rate limiting.
# To recover: docker run --rm -it -v "$(pwd)"/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml --name BouncerRecovery 'crowdsecurity/cloudflare-bouncer' -d
cloudflare-bouncer:
image: crowdsecurity/cloudflare-bouncer
container_name: Crowdsec-Cloudflare-Bouncer
networks:
pihole:
ipv4_address: '172.22.0.133'
# ports:
# - "2112:2112"
volumes:
- $USERDIR/Crowdsec/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
- $USERDIR/Crowdsec/cloudflare-bouncer/cf-bouncer:/cf-bouncer
security_opt:
- no-new-privileges:true
logging:
driver: "local"
options:
max-size: 10m
max-file: "3"
restart: always
mem_limit: 500m
mem_reservation: 50m
depends_on:
- crowdsec
- ```
</details>
### Anything else we need to know?
_No response_
### Crowdsec version
<details>
```console
2023/09/24 04:45:29 version: v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b
2023/09/24 04:45:29 Codename: alphaga
2023/09/24 04:45:29 BuildDate: 2023-09-20_12:28:07
2023/09/24 04:45:29 GoVersion: 1.20.8
2023/09/24 04:45:29 Platform: docker
2023/09/24 04:45:29 libre2: C++
2023/09/24 04:45:29 Constraint_parser: >= 1.0, <= 2.0
2023/09/24 04:45:29 Constraint_scenario: >= 1.0, < 3.0
2023/09/24 04:45:29 Constraint_api: v1
2023/09/24 04:45:29 Constraint_acquis: >= 1.0, < 2.0
OS version
# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
$ uname -a
Linux HDA 5.15.0-84-generic #93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Enabled collections and parsers
Dominic-Wagner/vaultwarden,enabled,0.1,Vaultwarden support : parser and brute-force detection,collections
LePresidente/authelia,enabled,0.2,Authelia Support : parser and brute-force detection,collections
crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,2.1,,collections
crowdsecurity/iptables,enabled,0.1,iptables support : logs and port-scans detection scenarios,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections
crowdsecurity/traefik,enabled,0.1,traefik support: parser and generic http scenarios,collections
crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections
Dominic-Wagner/vaultwarden-logs,enabled,0.1,Parse vaultwarden logs,parsers
LePresidente/authelia-logs,enabled,0.4,Parse Authelia logs,parsers
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/iptables-logs,enabled,0.5,Parse iptables drop logs,parsers
crowdsecurity/nginx-logs,enabled,1.4,Parse nginx access and error logs,parsers
crowdsecurity/sshd-logs,enabled,2.2,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/traefik-logs,enabled,0.9,Parse Traefik access logs,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
custom-whitelists.yaml,"enabled,local",n/a,,parsers
github-whitelists.yaml,"enabled,local",n/a,,parsers
Dominic-Wagner/vaultwarden-bf,enabled,0.1,Detect vaultwarden bruteforce,scenarios
LePresidente/authelia-bf,enabled,0.2,Detect authelia bruteforce,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.1,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.1,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.2,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.1,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,0.8,Detect bad user-agents,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios
crowdsecurity/http-generic-bf,enabled,0.4,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/iptables-scan-multi_ports,enabled,0.1,ban IPs that are scanning us,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.2,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.4,Whitelist good search engine crawlers,postoverflows
Acquisition config
filenames:
- /var/log/auth.log
- /var/log/syslog
- /var/log/kern.log
- /var/log/mail.log
labels:
type: syslog
---
filenames:
- /logs/traefik/access.log
labels:
type: traefik
---
filenames:
- /logs/authelia/*.log
labels:
type: authelia
---
filenames:
- /logs/vaultwarden/*.log
labels:
type: vaultwarden
---
filenames:
- /logs/bookstack/*.log
- /logs/xbackbone/*.log
- /logs/bookstack/*.log.1
- /logs/xbackbone/*.log.1
labels:
type: nginx
#---
#source: docker
#container_name_regexp:
# - ^[a-zA-Z0-9_.-]*$
#labels:
# type: docker
Config show
Global:
- Configuration Folder : /etc/crowdsec
- Data Folder : /var/lib/crowdsec/data
- Hub Folder : /etc/crowdsec/hub
- Simulation File : /etc/crowdsec/simulation.yaml
- Log Folder : /var/log/
- Log level : info
- Log Media : stdout
Crowdsec:
- Acquisition File : /etc/crowdsec/acquis.yaml
- Parsers routines : 1
cscli:
- Output : human
- Hub Branch :
- Hub Folder : /etc/crowdsec/hub
API Client:
- URL : http://0.0.0.0:8080/
- Login : HDA-Docker
- Credentials File : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
- Listen URL : 0.0.0.0:8080
- Profile File : /etc/crowdsec/profiles.yaml
- Trusted IPs:
- 127.0.0.1
- ::1
- Database:
- Type : sqlite
- Path : /var/lib/crowdsec/data/crowdsec.db
- Flush age : 7d
- Flush size : 5000
Prometheus metrics
Acquisition Metrics:
+---------------------------------+------------+--------------+----------------+------------------------+
| Source | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket |
+---------------------------------+------------+--------------+----------------+------------------------+
| file:/logs/bookstack/access.log | 50 | 50 | - | - |
| file:/logs/traefik/access.log | 29 | 29 | - | 20 |
| file:/logs/xbackbone/access.log | 52 | 52 | - | - |
| file:/var/log/auth.log | 14 | - | 14 | - |
| file:/var/log/kern.log | 10 | - | 10 | - |
| file:/var/log/syslog | 62 | - | 62 | - |
+---------------------------------+------------+--------------+----------------+------------------------+
Bucket Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| Bucket | Current Count | Overflows | Instantiated | Poured | Expired |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-crawl-non_statics | 1 | - | 17 | 17 | 16 |
| crowdsecurity/http-probing | 1 | - | 3 | 3 | 2 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
Parser Metrics:
+----------------------------------+------+--------+----------+
| Parsers | Hits | Parsed | Unparsed |
+----------------------------------+------+--------+----------+
| child-crowdsecurity/http-logs | 393 | 262 | 131 |
| child-crowdsecurity/nginx-logs | 102 | 102 | - |
| child-crowdsecurity/sshd-logs | 55 | - | 55 |
| child-crowdsecurity/syslog-logs | 86 | 86 | - |
| child-crowdsecurity/traefik-logs | 29 | 29 | - |
| crowdsecurity/dateparse-enrich | 131 | 131 | - |
| crowdsecurity/geoip-enrich | 131 | 131 | - |
| crowdsecurity/github | 131 | 131 | - |
| crowdsecurity/http-logs | 131 | 131 | - |
| crowdsecurity/nginx-logs | 102 | 102 | - |
| crowdsecurity/non-syslog | 131 | 131 | - |
| crowdsecurity/sshd-logs | 5 | - | 5 |
| crowdsecurity/syslog-logs | 86 | 86 | - |
| crowdsecurity/traefik-logs | 29 | 29 | - |
| crowdsecurity/whitelists | 262 | 262 | - |
+----------------------------------+------+--------+----------+
Local API Metrics:
+----------------------+--------+------+
| Route | Method | Hits |
+----------------------+--------+------+
| /v1/decisions | DELETE | 1 |
| /v1/decisions | GET | 8409 |
| /v1/decisions/stream | GET | 26 |
| /v1/heartbeat | GET | 4 |
| /v1/watchers/login | POST | 2 |
+----------------------+--------+------+
Local API Machines Metrics:
+------------+---------------+--------+------+
| Machine | Route | Method | Hits |
+------------+---------------+--------+------+
| HDA-Docker | /v1/decisions | DELETE | 1 |
| HDA-Docker | /v1/heartbeat | GET | 4 |
+------------+---------------+--------+------+
Local API Bouncers Metrics:
+-------------------+----------------------+--------+------+
| Bouncer | Route | Method | Hits |
+-------------------+----------------------+--------+------+
| cloudflarebouncer | /v1/decisions/stream | GET | 26 |
| traefik-bouncer | /v1/decisions | GET | 8409 |
+-------------------+----------------------+--------+------+
Local API Bouncers Decisions:
+-----------------+---------------+-------------------+
| Bouncer | Empty answers | Non-empty answers |
+-----------------+---------------+-------------------+
| traefik-bouncer | 8408 | 0 |
+-----------------+---------------+-------------------+
Local API Decisions:
+--------------------------------------------+----------+--------+-------+
| Reason | Origin | Action | Count |
+--------------------------------------------+----------+--------+-------+
| LePresidente/authelia-bf | CAPI | ban | 5 |
| crowdsecurity/grafana-cve-2021-43798 | CAPI | ban | 78 |
| crowdsecurity/http-sensitive-files | CAPI | ban | 11 |
| crowdsecurity/CVE-2022-42889 | CAPI | ban | 16 |
| crowdsecurity/apache_log4j2_cve-2021-44228 | CAPI | ban | 418 |
| crowdsecurity/http-generic-bf | CAPI | ban | 21 |
| firehol_cruzit_web_attacks | lists | ban | 13252 |
| firehol_greensnow | lists | ban | 6206 |
| Dominic-Wagner/vaultwarden-bf | CAPI | ban | 20 |
| crowdsecurity/http-crawl-non_statics | CAPI | ban | 654 |
| crowdsecurity/spring4shell_cve-2022-22965 | CAPI | ban | 3 |
| crowdsecurity/ssh-slow-bf | CAPI | ban | 22 |
| crowdsecurity/CVE-2022-26134 | CAPI | ban | 175 |
| crowdsecurity/CVE-2022-37042 | CAPI | ban | 23 |
| crowdsecurity/http-bad-user-agent | crowdsec | ban | 2 |
| crowdsecurity/http-bad-user-agent | CAPI | ban | 7877 |
| crowdsecurity/jira_cve-2021-26086 | CAPI | ban | 24 |
| crowdsecurity/thinkphp-cve-2018-20062 | CAPI | ban | 203 |
| crowdsecurity/CVE-2019-18935 | CAPI | ban | 56 |
| crowdsecurity/CVE-2022-41082 | CAPI | ban | 995 |
| crowdsecurity/CVE-2022-41082 | crowdsec | ban | 1 |
| crowdsecurity/http-open-proxy | CAPI | ban | 611 |
| crowdsecurity/netgear_rce | CAPI | ban | 51 |
| crowdsecurity/http-cve-2021-41773 | CAPI | ban | 30 |
| crowdsecurity/http-path-traversal-probing | CAPI | ban | 103 |
| crowdsecurity/CVE-2022-35914 | CAPI | ban | 58 |
| crowdsecurity/http-backdoors-attempts | CAPI | ban | 1068 |
| crowdsecurity/ssh-bf | CAPI | ban | 16643 |
| crowdsecurity/f5-big-ip-cve-2020-5902 | CAPI | ban | 30 |
| crowdsecurity/fortinet-cve-2018-13379 | CAPI | ban | 115 |
| crowdsecurity/http-probing | crowdsec | ban | 14 |
| crowdsecurity/http-probing | CAPI | ban | 3033 |
| crowdsecurity/iptables-scan-multi_ports | CAPI | ban | 307 |
| crowdsecurity/nginx-req-limit-exceeded | CAPI | ban | 197 |
| otx-georgs-honeypot | lists | ban | 1142 |
+--------------------------------------------+----------+--------+-------+
Local API Alerts:
+------------------------------------+-------+
| Reason | Count |
+------------------------------------+-------+
| crowdsecurity/http-probing | 32 |
| crowdsecurity/http-sensitive-files | 2 |
| crowdsecurity/CVE-2019-18935 | 1 |
| crowdsecurity/CVE-2022-41082 | 6 |
| crowdsecurity/http-bad-user-agent | 3 |
+------------------------------------+-------+
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
@modem7: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
- Check Crowdsec Documentation to see if your issue can be self resolved.
- You can also join our Discord.
- Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Looks like by removing the syslogs, the CPU usage has gone down.
Will put this in pending whilst I monitor further.
Could you dump and maybe send me the file
https://docs.crowdsec.net/docs/next/observability/pprof/#visualize-cpu-usage
If I try from inside the container:
docker exec -it Crowdsec /bin/bash
Crowsec:/# go tool pprof -http=:8081 http://localhost:6060/debug/pprof/profile
bash: go: command not found
If I try it from the host:
❯ go tool pprof -http=:8081 http://localhost:16934/debug/pprof/profile
Fetching profile over HTTP from http://localhost:16934/debug/pprof/profile
http://localhost:16934/debug/pprof/profile: Get "http://localhost:16934/debug/pprof/profile": read tcp [::1]:55028->[::1]:16934: read: connection reset by peer
failed to fetch any source profiles
I also tried (from host) as it looked like it was trying ipv6 in previous command:
❯ go tool pprof -http=:8081 http://127.0.0.1:16934/debug/pprof/profile
Fetching profile over HTTP from http://127.0.0.1:16934/debug/pprof/profile
http://127.0.0.1:16934/debug/pprof/profile: Get "http://127.0.0.1:16934/debug/pprof/profile": read tcp 127.0.0.1:60706->127.0.0.1:16934: read: connection reset by peer
failed to fetch any source profiles
❯ go tool pprof -http=:8081 http://192.168.50.254:16934/debug/pprof/profile
Fetching profile over HTTP from http://192.168.50.254:16934/debug/pprof/profile
http://192.168.50.254:16934/debug/pprof/profile: Get "http://192.168.50.254:16934/debug/pprof/profile": dial tcp 192.168.50.254:16934: connect: connection refused
failed to fetch any source profiles
After installing go in the Crowdsec container, I was able to get the file.
❯ docker exec -it Crowdsec /bin/bash
Crowsec:/# apk add go
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/13) Installing libgcc (12.2.1_git20220924-r10)
(2/13) Installing libstdc++ (12.2.1_git20220924-r10)
(3/13) Installing zstd-libs (1.5.5-r4)
(4/13) Installing binutils (2.40-r7)
(5/13) Installing libgomp (12.2.1_git20220924-r10)
(6/13) Installing libatomic (12.2.1_git20220924-r10)
(7/13) Installing gmp (6.2.1-r3)
(8/13) Installing isl26 (0.26-r1)
(9/13) Installing mpfr4 (4.2.0_p12-r0)
(10/13) Installing mpc1 (1.3.1-r1)
(11/13) Installing gcc (12.2.1_git20220924-r10)
(12/13) Installing musl-dev (1.2.4-r1)
(13/13) Installing go (1.20.8-r0)
Executing busybox-1.36.1-r2.trigger
OK: 326 MiB in 33 packages
Crowsec:/# go tool pprof -http=:8081 http://localhost:6060/debug/pprof/profile
Fetching profile over HTTP from http://localhost:6060/debug/pprof/profile
Saved profile in /root/pprof/pprof.crowdsec.samples.cpu.001.pb.gz
Serving web UI on http://localhost:8081
http://localhost:8081
Have sent the resulting files via email.
Thanks!