Can we have an option to include the “decision(s)” made by Crowdsec in the notification mail.
It gives the total number and a button for “View Active Decisions” which always takes me to an empty page, as (I’m guessing) the referenced lines have now aged out.
Cheers.
The details were shown in the beginning, see Enhance email properties and formatting by stephdl · Pull Request #92 · NethServer/ns8-crowdsec · GitHub
We summarized it as there were too much notification mails.
It’s possible to view the alerts in the crowdsec web console or on CLI, see CrowdSec — NS8 documentation
cscli alerts list
yes we flooded completely the notifications, the most important information is that we are still aware about crowdsec is still banning and receiving 1 or 2 messages by day is enough.
I use a dynamic bantime of 1minutes, it is enough to kick bad people and each new ban the ban time is *4. For me it is enough, my wife will still love me and I have nothing to do if she does a bad password
A total of 52 decision(s) has been taken on this instance since 25 Mar 2026 22:01 UTC
Can we fix the “since”, because since is when the email is sent. So it’s unknown what the time period of the 52 decisions is. I’m not even sure what a decision is, a ban?
Also, this trigger is set for 100, so why do I get triggers for random numbers of decisions? Yesterday I got an email at 11:20am for 44 decisions and another 4 hours later for 5 decisions.
I believe, as of right now, that the “daily” email is triggering at 3:01pm, so I’m not sure why I’m getting more than one email per day when the #’s are below the set point of 100 that I set months ago.
Also, is our crowdsec install ban a drop or reject or are we returning a 403 or …
OK, maybe we should use “on” instead of “since”.
Yes, it’s an action being taken, for example a ban, see Decision | CrowdSec
That’s weird, maybe a bug?
Did you reconfigure or restart the CrowdSec service in between of those mails?
The setup is explained here: ns8-crowdsec/imageroot/templates/email.yaml at 222fc3f99038c1bd7e518f11909043f805747aae · NethServer/ns8-crowdsec · GitHub
It’s a drop, see ns8-crowdsec/imageroot/templates/crowdsec-firewall-bouncer.yaml at 222fc3f99038c1bd7e518f11909043f805747aae · NethServer/ns8-crowdsec · GitHub
It doesn’t correlate; email at 3:01pm - 35 decisions - previous email 4:26am - 11 hours between - # of bans between those two emails - 35.
So that suggests to me it’s # of bans since last notification trigger.
Now, while there is a ban at 4:26 am, the last ban before the 3:01pm trigger is 2:49pm.
Notification trigger prior to 4:26 am is the 3:01 pm email from the day before, 3:01 is the consistent daily time, usually set at reboot I believe, and the # of bans between yesterday 3:01 and this morning at 4:26 am is 50 and the notification at 4:26am is for 48.
An additional eye should verify this but it appears the language of the email notification should be “since [previous notification]” not “since [current notification]”.
As to why an additional notification email is being sent out at varying times between the every 24hr notification at less than the set point of 100 is another issue altogether.
No, and/or I know that the 24 trigger is dependent on system changes, either a reboot or config change driven restart.
I’m trying to reproduce…
My idea was to change it to “as of [current notification]”.
I am not a native english speaker, kidding people could state that I am even not an english speaker at all, I assume that 
could you state on a plural and singular sentence for that
No. The value of the notification is the # of v time frame.
I have some probes hitting from an ip that can hit 30 various url attempts in less than 2 seconds before Crowdsec can trigger a ban. Some of those ips are so aggressive that I put them on a block list in my gateway.
So the notification is for decisions, but those decisions are only a small percentage of the number of attempts.
My thought here is that I would be inclined to lower my trigger threshold to as low as 10 decisions if we can get the notification to give us actionable information and it looks like we’re headed that direction.
That looks great. The (s) was always jarring to me. 
I don’t think line 103 would ever be triggered though. 
Sorry being a bit late getting back to this.
Agreed that wasn’t an ideal situation.
Better. But my point is why can’t those 1 or 2 messages contain the details that were previously being sent. One email with 5/20/50 lines of data is not a big deal, but it coveys vastly more information that I can use to see if there are any IPs I should be adding to a more permanent ban list.
Cheers.