Skip to content

Prometheus Metrics

The bouncer exports Prometheus metrics when metrics.enabled is true. Metrics are available at http://<listen_addr>:<listen_port>/metrics.

Gauge Labels: proto

Number of currently active (banned) decisions by protocol version. Updated in real time during streaming ban/unban events and recalculated during reconciliation.

LabelValuesDescription
protoipv4, ipv6Protocol version
# Total active decisions
sum(crowdsec_bouncer_active_decisions)
# IPv6 decisions only
crowdsec_bouncer_active_decisions{proto="ipv6"}

crowdsec_bouncer_active_decisions_by_origin

Section titled “crowdsec_bouncer_active_decisions_by_origin”
Gauge Labels: origin

Active decisions broken down by their source. Incremented/decremented in real time during streaming and reset during full reconciliation.

LabelValuesDescription
origincrowdsec, cscli, CAPI, lists:<name>Source of the decision (lists:<name> is the literal label for a named blocklist; the lists:* wildcard exists only in the crowdsec.origins config filter)
# Active decisions by origin
crowdsec_bouncer_active_decisions_by_origin
# Only community blocklist decisions
crowdsec_bouncer_active_decisions_by_origin{origin="CAPI"}

Counter Labels: action, proto, origin

Total number of decisions processed since startup. Counts both bans (action="ban") and unbans (action="unban"), with proto (ipv4/ipv6) and the decision origin.

# Ban rate per minute by origin
rate(crowdsec_bouncer_decisions_total{action="ban"}[5m]) * 60
# Total unbans since startup
sum(crowdsec_bouncer_decisions_total{action="unban"})

Counter Labels: operation

Total errors by failed operation. The operation label takes the values add, find, remove, reconcile, and firewall.

# Error rate across all operations
rate(crowdsec_bouncer_errors_total[5m])
# Reconciliation errors only
crowdsec_bouncer_errors_total{operation="reconcile"}

Gauge

Whether the bouncer has an active connection to RouterOS (1 = connected, 0 = disconnected).


crowdsec_bouncer_operation_duration_seconds

Section titled “crowdsec_bouncer_operation_duration_seconds”
Histogram Labels: operation

Duration of operations in seconds. Labels: operation="add", operation="remove", operation="reconcile", operation="bulk_add", operation="bulk_remove".

# p99 add operation latency
histogram_quantile(0.99, rate(crowdsec_bouncer_operation_duration_seconds_bucket{operation="add"}[5m]))

crowdsec_bouncer_last_operation_duration_seconds

Section titled “crowdsec_bouncer_last_operation_duration_seconds”
Gauge Labels: operation

Duration of the most recent operation of each type, in seconds. Uses the same operation values as crowdsec_bouncer_operation_duration_seconds and is updated alongside it — useful for “how long did the last reconcile take?” panels without histogram math.

# Duration of the last reconciliation
crowdsec_bouncer_last_operation_duration_seconds{operation="reconcile"}

Counter Labels: action

Total reconciliation actions. Labels: action="added", action="removed", action="unchanged". Periodic reconciliation increments unchanged when entries already match the active CrowdSec snapshot.


Gauge Labels: version, routeros_identity Info metric (value always 1)

Bouncer build information. Labels expose the bouncer version and the RouterOS system identity (routeros_identity) it is connected to.


Gauge

Unix timestamp of when the bouncer process started.


Gauge Labels: group, param, value Info metric (value always 1)

Exposes the non-sensitive bouncer configuration as info metrics. Each configuration parameter is emitted as its own series with exactly three labels — group, param, and value — and a constant value of 1:

crowdsec_bouncer_config_info{group="CrowdSec",param="API URL",value="http://localhost:8080/"} 1
crowdsec_bouncer_config_info{group="MikroTik",param="Connection Pool Size",value="4"} 1
crowdsec_bouncer_config_info{group="Firewall",param="Deny Action",value="drop"} 1
Full parameter list
groupparam values
CrowdSecAPI URL, Update Frequency, Origins, Scopes, Decision Types, Retry Initial Connect, TLS Enabled
MikroTikAddress, TLS Enabled, Connection Pool Size, Connection Timeout, Command Timeout
FirewallIPv4 Enabled, IPv4 Address List, IPv6 Enabled, IPv6 Address List, Filter Enabled, Filter Chains, Raw Enabled, Raw Chains, Deny Action, Block Output, Rule Placement, Comment Prefix, Logging Enabled
LoggingLevel, Format
MetricsEnabled, Listen Address, Listen Port, RouterOS Poll Interval, Track Processed

For Rule Placement, simple values appear as top or bottom; structured placement appears as a compact summary such as position:5, after_comment:drop invalid, top,filter=after_comment:drop invalid,raw=position:2, or top,ipv4=before_comment:IPv4 anchor,ipv6=bottom,ipv6.raw=position:4.

Gauge

Cumulative bytes dropped by all bouncer firewall rules.

Gauge

Cumulative packets dropped by all bouncer firewall rules.

Gauge Labels: proto New

Cumulative bytes dropped by firewall rules, broken down by protocol.

LabelValuesDescription
protoipv4, ipv6Protocol version
Gauge Labels: proto New

Cumulative packets dropped by firewall rules, broken down by protocol.

LabelValuesDescription
protoipv4, ipv6Protocol version
# Dropped bytes rate by protocol
rate(crowdsec_bouncer_dropped_bytes_by_proto[5m])
# Compare IPv4 vs IPv6 dropped traffic
crowdsec_bouncer_dropped_bytes_by_proto{proto="ipv4"}
crowdsec_bouncer_dropped_bytes_by_proto{proto="ipv6"}

Processed traffic metrics measure ALL traffic evaluated by the bouncer’s firewall chains — not just blocked traffic. The bouncer automatically creates action=passthrough counting rules positioned before each drop rule to track total chain throughput. These are the MikroTik equivalent of iptables JUMP counters used by cs-firewall-bouncer.

Gauge New

Cumulative bytes processed (evaluated) by all bouncer firewall rules.

Gauge New

Cumulative packets processed (evaluated) by all bouncer firewall rules.

Gauge Labels: proto New

Cumulative bytes processed by firewall rules, broken down by protocol.

LabelValuesDescription
protoipv4, ipv6Protocol version

crowdsec_bouncer_processed_packets_by_proto

Section titled “crowdsec_bouncer_processed_packets_by_proto”
Gauge Labels: proto New

Cumulative packets processed by firewall rules, broken down by protocol.

LabelValuesDescription
protoipv4, ipv6Protocol version
# Processed traffic rate by protocol
rate(crowdsec_bouncer_processed_bytes_by_proto[5m])
# Drop rate percentage (how much traffic is being blocked)
sum(crowdsec_bouncer_dropped_packets_total) / sum(crowdsec_bouncer_processed_packets_total) * 100

When metrics.routeros_poll_interval is non-zero, the bouncer collects MikroTik system metrics:

Gauge

CPU load percentage (0–100).

crowdsec_bouncer_routeros_memory_total_bytes

Section titled “crowdsec_bouncer_routeros_memory_total_bytes”
Gauge

Total system memory in bytes.

crowdsec_bouncer_routeros_memory_used_bytes

Section titled “crowdsec_bouncer_routeros_memory_used_bytes”
Gauge

Used system memory in bytes.

crowdsec_bouncer_routeros_cpu_temperature_celsius

Section titled “crowdsec_bouncer_routeros_cpu_temperature_celsius”
Gauge

CPU temperature in degrees Celsius.

Gauge New

RouterOS uptime in seconds. Parsed from the MikroTik uptime string format (e.g. 1w2d3h4m5s).

# Uptime in days
crowdsec_bouncer_routeros_uptime_seconds / 86400
Gauge Labels: version, board_name New

RouterOS system information as an info metric (value always 1). Labels expose the RouterOS version and hardware model.

LabelExampleDescription
version7.16.2RouterOS version
board_nameRB4011iGS+Hardware model
# Memory usage percentage
crowdsec_bouncer_routeros_memory_used_bytes / crowdsec_bouncer_routeros_memory_total_bytes * 100
# Average CPU load
crowdsec_bouncer_routeros_cpu_load

The bouncer reports the following to LAPI on each metrics push:

MetricDescription
active_decisionsPer-origin and per-protocol active decision counts
dropped (bytes)Delta of bytes blocked since last push, per ip_type (ipv4/ipv6)
dropped (packets)Delta of packets blocked since last push, per ip_type
processed (bytes)Delta of bytes processed (evaluated) since last push, per ip_type
processed (packets)Delta of packets processed since last push, per ip_type