Crowdsec module "missing"?

pagaille · June 15, 2026, 7:09am

Hi,

I’ve a running crowsdec module that works correctly :

api-cli run get-configuration --agent module/crowdsec1 | jq
{
“helo_host”: “mail.xxx.be”,
“receiver_emails”: [
“”
],
“bantime”: “1”,
“dyn_bantime”: true,
“whitelists”: [
“”
],
“enable_online_api”: true,
“ban_local_network”: false,
“enroll_instance”: “xxx”,
“mail_configured”: true,
“group_threshold”: 100,
“dynamic_bantime_duration”: “4”
}

However, trying to get to the cli console as explained in the documentation doesn’t work :

[root@cloud ~]# runagent -m crowdsec1 bash -l
runagent: [FATAL] Cannot find module crowdsec1 in the local node

It looks like there is no crowdsec module

A change in the architecture of the modules ? is it now included in another module like Traefik ? If yes the doc should be updated.

Txs

Matthieu

davidep · June 15, 2026, 7:28am

Do you have any worker node?

The fact that api-cli command succeeds make me think you ran runagent on a different node.

pagaille · June 15, 2026, 8:13am

yes indeed, there are two workers node but the one where I ran this command is the leader node

[root@cloud ~]# hostname

cloud

davidep · June 15, 2026, 8:15am

Ok, please check in Applications page if crowdsec1 is installed on node 1 or not.

pagaille · June 15, 2026, 8:19am

oh you’re right. My mistake. Looks strange to me that I choose to install that module on a worker node, that doesn’t seems logical.

davidep · June 15, 2026, 8:41am

A crowdsec application protects the node it runs on. You can consider installing it on node 1 too.

pagaille · June 15, 2026, 11:47am

Gosh. That wasn’t clear for me.

Don’t you think that it should be part of a standard installation, like we were routinely installing fail2ban ?

davidep · June 15, 2026, 12:59pm

Not necessarily. I’d prefer to leave that decision to the system administrator.

There are environments where CrowdSec provides clear value and should definitely be installed, but there are also scenarios where administrators may consider it unnecessary, redundant with existing protections, or simply not worth the additional complexity.

fasttech · June 15, 2026, 11:54pm

Ummm … I hate to ask this question, because it seems dumb, but if a node with crowdsec has a reverse proxy setup in http routes, is crowdsec inspecting and as necessary blocking the traffic before it’s sent to the proxy target on another node or cluster?

stephdl · June 16, 2026, 6:51am

I would say no because what is looking for crowdsec is bad authentication and this answer will be done by the final destination host, so the reverse proxy is just adressing the route to the host and no more.

davidep · June 16, 2026, 7:39am

CrowdSec primarily analyzes logs available in the local node journal and makes decisions based on those logs. Traefik on the front-end node may still record requests and backend responses, including 401 errors, whether the application is hosted locally or on a remote server. However, CrowdSec’s ability to act on those events depends on the parsers and detection scenarios that are enabled.

Results can vary between applications because some generate logs and response patterns that match CrowdSec’s detection rules, while others do not. Testing different setups and sharing feedback can help determine how effectively CrowdSec supports these configurations in practice.