Prometheus Metrics

The bouncer exports Prometheus metrics when metrics.enabled is true. Metrics are available at http://<listen_addr>:<listen_port>/metrics.

Bouncer Metrics

crowdsec_bouncer_active_decisions

Gauge Labels: ip_type

Number of currently active (banned) decisions by protocol version. Updated in real time during streaming ban/unban events and recalculated during reconciliation.

| Label | Values | Description | | --------- | -------------- | ---------------- | | ip_type | ipv4, ipv6 | Protocol version |

# Total active decisions
sum(crowdsec_bouncer_active_decisions)

# IPv6 decisions only
crowdsec_bouncer_active_decisions{ip_type="ipv6"}

---

crowdsec_bouncer_active_decisions_by_origin

Gauge Labels: origin

Active decisions broken down by their source. Incremented/decremented in real time during streaming and reset during full reconciliation.

| Label | Values | Description | | -------- | -------------------------------------- | ---------------------- | | origin | crowdsec, cscli, CAPI, lists:* | Source of the decision |

# Active decisions by origin
crowdsec_bouncer_active_decisions_by_origin

# Only community blocklist decisions
crowdsec_bouncer_active_decisions_by_origin{origin="CAPI"}

---

crowdsec_bouncer_decisions_total

Counter Labels: action, origin, ip_type

Total number of decisions processed since startup. Counts both bans (action="ban") and unbans (action="unban").

# Ban rate per minute by origin
rate(crowdsec_bouncer_decisions_total{action="ban"}[5m]) * 60

# Total unbans since startup
sum(crowdsec_bouncer_decisions_total{action="unban"})

---

crowdsec_bouncer_errors_total

Counter Labels: component

Total errors by component (lapi, routeros, stream).

# Error rate across all components
rate(crowdsec_bouncer_errors_total[5m])

---

crowdsec_bouncer_routeros_connected

Gauge

Whether the bouncer has an active connection to RouterOS (1 = connected, 0 = disconnected).

---

crowdsec_bouncer_operation_duration_seconds

Histogram Labels: operation

Duration of operations in seconds. Labels: operation="add", operation="remove", operation="reconcile".

# p99 add operation latency
histogram_quantile(0.99, rate(crowdsec_bouncer_operation_duration_seconds_bucket{operation="add"}[5m]))

---

crowdsec_bouncer_reconciliation_total

Counter Labels: action

Total reconciliation actions. Labels: action="added", action="removed", action="unchanged". Periodic reconciliation increments unchanged when entries already match the active CrowdSec snapshot.

---

crowdsec_bouncer_info

Gauge Info metric (value always 1)

Bouncer build information with version label.

---

crowdsec_bouncer_start_time_seconds

Gauge

Unix timestamp of when the bouncer process started.

---

crowdsec_bouncer_config_info

Gauge Info metric (value always 1)

Exposes bouncer configuration as metric labels. Carries all configuration parameters as labels:

Full label list

| Label | Example value | | --------------------------------------- | ------------------------ | | version | 1.4.4 | | crowdsec_url | http://localhost:8080/ | | crowdsec_update_frequency | 10s | | crowdsec_include_scenarios_containing | — | | crowdsec_exclude_scenarios_containing | — | | crowdsec_only_include_decisions_from | — | | crowdsec_origins | crowdsec,cscli | | crowdsec_scenarios | — | | mikrotik_host | 192.168.88.1:8728 | | mikrotik_tls | false | | mikrotik_pool_size | 4 | | firewall_deny_action | drop | | firewall_reject_with | — | | firewall_rule_placement | top | | firewall_filter_chains | input | | firewall_raw_chains | prerouting | | firewall_ipv4_enabled | true | | firewall_ipv6_enabled | true | | firewall_filter_enabled | true | | firewall_raw_enabled | true | | firewall_log | false | | firewall_log_prefix | crowdsec-bouncer | | firewall_comment_prefix | crowdsec-bouncer | | firewall_block_output | false | | firewall_input_interface | — | | firewall_input_interface_list | — | | firewall_input_whitelist | — | | firewall_filter_connection_state | — | | firewall_filter_log_prefix | — | | firewall_raw_log_prefix | — | | metrics_routeros_poll_interval | 30s |

firewall_rule_placement is a configuration label. Simple values appear as top or bottom; structured placement appears as a compact summary such as position:5, after_comment:drop invalid, top,filter=after_comment:drop invalid,raw=position:2, or top,ipv4=before_comment:IPv4 anchor,ipv6=bottom,ipv6.raw=position:4.

Firewall Dropped Traffic

crowdsec_bouncer_dropped_bytes_total

Gauge

Cumulative bytes dropped by all bouncer firewall rules.

crowdsec_bouncer_dropped_packets_total

Gauge

Cumulative packets dropped by all bouncer firewall rules.

crowdsec_bouncer_dropped_bytes_by_proto

Gauge Labels: proto New

Cumulative bytes dropped by firewall rules, broken down by protocol.

| Label | Values | Description | | ------- | -------------- | ---------------- | | proto | ipv4, ipv6 | Protocol version |

crowdsec_bouncer_dropped_packets_by_proto

Gauge Labels: proto New

Cumulative packets dropped by firewall rules, broken down by protocol.

| Label | Values | Description | | ------- | -------------- | ---------------- | | proto | ipv4, ipv6 | Protocol version |

# Dropped bytes rate by protocol
rate(crowdsec_bouncer_dropped_bytes_by_proto[5m])

# Compare IPv4 vs IPv6 dropped traffic
crowdsec_bouncer_dropped_bytes_by_proto{proto="ipv4"}
crowdsec_bouncer_dropped_bytes_by_proto{proto="ipv6"}

Processed Traffic

Processed traffic metrics measure ALL traffic evaluated by the bouncer’s firewall chains — not just blocked traffic. The bouncer automatically creates action=passthrough counting rules positioned before each drop rule to track total chain throughput. These are the MikroTik equivalent of iptables JUMP counters used by cs-firewall-bouncer.

Note

Processed traffic tracking requires metrics.track_processed: true (the default). Set it to false to disable these metrics and avoid creating passthrough counting rules on the router.

crowdsec_bouncer_processed_bytes_total

Gauge New

Cumulative bytes processed (evaluated) by all bouncer firewall rules.

crowdsec_bouncer_processed_packets_total

Gauge New

Cumulative packets processed (evaluated) by all bouncer firewall rules.

crowdsec_bouncer_processed_bytes_by_proto

Gauge Labels: proto New

Cumulative bytes processed by firewall rules, broken down by protocol.

| Label | Values | Description | | ------- | -------------- | ---------------- | | proto | ipv4, ipv6 | Protocol version |

crowdsec_bouncer_processed_packets_by_proto

Gauge Labels: proto New

Cumulative packets processed by firewall rules, broken down by protocol.

| Label | Values | Description | | ------- | -------------- | ---------------- | | proto | ipv4, ipv6 | Protocol version |

# Processed traffic rate by protocol
rate(crowdsec_bouncer_processed_bytes_by_proto[5m])

# Drop rate percentage (how much traffic is being blocked)
sum(crowdsec_bouncer_dropped_packets_total) / sum(crowdsec_bouncer_processed_packets_total) * 100

Note

Processed traffic is typically 200-500x higher than dropped traffic, since it counts ALL packets entering the bouncer chains — not just the ones matching banned IPs. This ratio is expected and provides context for how much traffic the bouncer is actually evaluating.

RouterOS System Metrics

When metrics.routeros_poll_interval is non-zero, the bouncer collects MikroTik system metrics:

crowdsec_bouncer_routeros_cpu_load

Gauge

CPU load percentage (0–100).

crowdsec_bouncer_routeros_memory_total_bytes

Gauge

Total system memory in bytes.

crowdsec_bouncer_routeros_memory_used_bytes

Gauge

Used system memory in bytes.

crowdsec_bouncer_routeros_cpu_temperature_celsius

Gauge

CPU temperature in degrees Celsius.

crowdsec_bouncer_routeros_uptime_seconds

Gauge New

RouterOS uptime in seconds. Parsed from the MikroTik uptime string format (e.g. 1w2d3h4m5s).

# Uptime in days
crowdsec_bouncer_routeros_uptime_seconds / 86400

crowdsec_bouncer_routeros_info

Gauge Labels: version, board_name New

RouterOS system information as an info metric (value always 1). Labels expose the RouterOS version and hardware model.

| Label | Example | Description | | ------------ | ------------ | ---------------- | | version | 7.16.2 | RouterOS version | | board_name | RB4011iGS+ | Hardware model |

# Memory usage percentage
crowdsec_bouncer_routeros_memory_used_bytes / crowdsec_bouncer_routeros_memory_total_bytes * 100

# Average CPU load
crowdsec_bouncer_routeros_cpu_load

LAPI Usage Metrics

Tip

These metrics are reported directly to the CrowdSec LAPI via the /v1/usage-metrics endpoint (not exposed on the Prometheus endpoint). They allow CrowdSec to track bouncer activity centrally. Configure with crowdsec.lapi_metrics_interval.

The bouncer reports the following to LAPI on each metrics push:

| Metric | Description | | ----------------------- | --------------------------------------------------------------------- | | active_decisions | Per-origin and per-protocol active decision counts | | dropped (bytes) | Delta of bytes blocked since last push, per ip_type (ipv4/ipv6) | | dropped (packets) | Delta of packets blocked since last push, per ip_type | | processed (bytes) | Delta of bytes processed (evaluated) since last push, per ip_type | | processed (packets) | Delta of packets processed since last push, per ip_type |

Note

Dropped and processed metrics are sent as deltas (difference since the last push). The LAPI aggregates these to show cumulative bouncer activity in cscli metrics show bouncers. The ip_type label enables per-protocol analysis in the CrowdSec Console.