search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.29k stars 429 forks source link

High CPU usage on Docker #2488

Open modem7 opened 10 months ago

modem7 commented 10 months ago

What happened?

Docker crowdsec container is using high CPU usage (50-100%)

What did you expect to happen?

Not have high CPU usage

How can we reproduce it (as minimally and precisely as possible)?

```yaml ##~~~~~~~~## ##Crowdsec## ##~~~~~~~~## # CrowdSec - Open-source & collaborative security IPS crowdsec: image: crowdsecurity/crowdsec:latest container_name: Crowdsec hostname: Crowsec networks: pihole: ipv4_address: '172.22.0.126' ports: - "19818:8080" - "16934:6060" environment: COLLECTIONS: "crowdsecurity/traefik crowdsecurity/nginx crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/sshd Dominic-Wagner/vaultwarden LePresidente/authelia" DISABLE_COLLECTIONS: "schiz0phr3ne/radarr schiz0phr3ne/sonarr crowdsecurity/mariadb crowdsecurity/mysql crowdsecurity/linux-lpe" GID: "${GID-1000}" CUSTOM_HOSTNAME: HDA-Docker TZ: "$TZ" # LEVEL_TRACE: "true" # Trace-level (VERY verbose) on stdout (default: false) # LEVEL_DEBUG: "true" # Debug-level on stdout (default: false) # LEVEL_INFO: "true" # Info-level on stdout (default: false) volumes: - $USERDIR/Crowdsec/data:/var/lib/crowdsec/data - $USERDIR/Crowdsec/config:/etc/crowdsec - $USERDIR/Traefik/logs:/logs/traefik/:ro - $USERDIR/Authelia/logs:/logs/authelia/:ro - $USERDIR/Bitwarden/Logs:/logs/vaultwarden/:ro - $USERDIR/Bookstack/log/nginx/:/logs/bookstack/:ro - $USERDIR/Xbackbone/log/nginx/:/logs/xbackbone/:ro - /var/log:/var/log:ro # - /var/run/docker.sock:/var/run/docker.sock:ro # for docker data source (https://docs.crowdsec.net/docs/data_sources/docker/) labels: ## Homepage - homepage.name=Crowdsec - homepage.group=System - homepage.icon=crowdsec - homepage.href=https://app.crowdsec.net/security-engines logging: driver: "local" options: max-size: 10m max-file: "3" restart: always mem_limit: 5000m mem_reservation: 250m depends_on: - traefik # CrowdSec Bouncer - Traefik traefik-bouncer: image: fbonalair/traefik-crowdsec-bouncer container_name: Crowdsec-Traefik-Bouncer networks: pihole: ipv4_address: '172.22.0.127' environment: - GIN_MODE=debug # default is debug (more logs) - CROWDSEC_BOUNCER_API_KEY=$CROWDSEC_BOUNCER_TRAEFIK_API_KEY # sudo docker exec crowdsec cscli bouncers add traefik-bouncer - CROWDSEC_AGENT_HOST=crowdsec:8080 # CrowdSec host and port - CROWDSEC_BOUNCER_LOG_LEVEL=1 # 1 INFO 2 WARN https://pkg.go.dev/github.com/rs/zerolog#readme-leveled-logging security_opt: - no-new-privileges:true logging: driver: "local" options: max-size: 10m max-file: "3" restart: always mem_limit: 200m mem_reservation: 50m depends_on: - crowdsec # CrowdSec Bouncer - Cloudflare # sudo docker exec crowdsec cscli bouncer add cloudflare-bouncer # Set max ip number right the first time (max 10000). Recreating container deletes all ips and readds them causing cloudflare 429 rate limiting. # To recover: docker run --rm -it -v "$(pwd)"/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml --name BouncerRecovery 'crowdsecurity/cloudflare-bouncer' -d cloudflare-bouncer: image: crowdsecurity/cloudflare-bouncer container_name: Crowdsec-Cloudflare-Bouncer networks: pihole: ipv4_address: '172.22.0.133' # ports: # - "2112:2112" volumes: - $USERDIR/Crowdsec/cloudflare-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml - $USERDIR/Crowdsec/cloudflare-bouncer/cf-bouncer:/cf-bouncer security_opt: - no-new-privileges:true logging: driver: "local" options: max-size: 10m max-file: "3" restart: always mem_limit: 500m mem_reservation: 50m depends_on: - crowdsec - ```

Anything else we need to know?

No response

Crowdsec version

```console 2023/09/24 04:45:29 version: v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b 2023/09/24 04:45:29 Codename: alphaga 2023/09/24 04:45:29 BuildDate: 2023-09-20_12:28:07 2023/09/24 04:45:29 GoVersion: 1.20.8 2023/09/24 04:45:29 Platform: docker 2023/09/24 04:45:29 libre2: C++ 2023/09/24 04:45:29 Constraint_parser: >= 1.0, <= 2.0 2023/09/24 04:45:29 Constraint_scenario: >= 1.0, < 3.0 2023/09/24 04:45:29 Constraint_api: v1 2023/09/24 04:45:29 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: $ cat /etc/os-release ``` PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy ``` $ uname -a ``` Linux HDA 5.15.0-84-generic #93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux ``` ```

Enabled collections and parsers

```console Dominic-Wagner/vaultwarden,enabled,0.1,Vaultwarden support : parser and brute-force detection,collections LePresidente/authelia,enabled,0.2,Authelia Support : parser and brute-force detection,collections crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/http-cve,enabled,2.1,,collections crowdsecurity/iptables,enabled,0.1,iptables support : logs and port-scans detection scenarios,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/traefik,enabled,0.1,traefik support: parser and generic http scenarios,collections crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections Dominic-Wagner/vaultwarden-logs,enabled,0.1,Parse vaultwarden logs,parsers LePresidente/authelia-logs,enabled,0.4,Parse Authelia logs,parsers crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/iptables-logs,enabled,0.5,Parse iptables drop logs,parsers crowdsecurity/nginx-logs,enabled,1.4,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,2.2,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/traefik-logs,enabled,0.9,Parse Traefik access logs,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers custom-whitelists.yaml,"enabled,local",n/a,,parsers github-whitelists.yaml,"enabled,local",n/a,,parsers Dominic-Wagner/vaultwarden-bf,enabled,0.1,Detect vaultwarden bruteforce,scenarios LePresidente/authelia-bf,enabled,0.2,Detect authelia bruteforce,scenarios crowdsecurity/CVE-2019-18935,enabled,0.1,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.1,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.2,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.1,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.8,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.4,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/iptables-scan-multi_ports,enabled,0.1,ban IPs that are scanning us,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/netgear_rce,enabled,0.2,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows crowdsecurity/seo-bots-whitelist,enabled,0.4,Whitelist good search engine crawlers,postoverflows ```

Acquisition config

filenames:
  - /var/log/auth.log
  - /var/log/syslog
  - /var/log/kern.log
  - /var/log/mail.log
labels:
  type: syslog
---
filenames:
  - /logs/traefik/access.log
labels:
  type: traefik
---
filenames:
  - /logs/authelia/*.log
labels:
  type: authelia
---
filenames:
  - /logs/vaultwarden/*.log
labels:
  type: vaultwarden
---
filenames:
  - /logs/bookstack/*.log
  - /logs/xbackbone/*.log
  - /logs/bookstack/*.log.1
  - /logs/xbackbone/*.log.1
labels:
  type: nginx
#---
#source: docker
#container_name_regexp:
#  - ^[a-zA-Z0-9_.-]*$
#labels:
#  type: docker

Config show

```console Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : stdout Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub API Client: - URL : http://0.0.0.0:8080/ - Login : HDA-Docker - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 0.0.0.0:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000 ```

Prometheus metrics

```console Acquisition Metrics: +---------------------------------+------------+--------------+----------------+------------------------+ | Source | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket | +---------------------------------+------------+--------------+----------------+------------------------+ | file:/logs/bookstack/access.log | 50 | 50 | - | - | | file:/logs/traefik/access.log | 29 | 29 | - | 20 | | file:/logs/xbackbone/access.log | 52 | 52 | - | - | | file:/var/log/auth.log | 14 | - | 14 | - | | file:/var/log/kern.log | 10 | - | 10 | - | | file:/var/log/syslog | 62 | - | 62 | - | +---------------------------------+------------+--------------+----------------+------------------------+ Bucket Metrics: +--------------------------------------+---------------+-----------+--------------+--------+---------+ | Bucket | Current Count | Overflows | Instantiated | Poured | Expired | +--------------------------------------+---------------+-----------+--------------+--------+---------+ | crowdsecurity/http-crawl-non_statics | 1 | - | 17 | 17 | 16 | | crowdsecurity/http-probing | 1 | - | 3 | 3 | 2 | +--------------------------------------+---------------+-----------+--------------+--------+---------+ Parser Metrics: +----------------------------------+------+--------+----------+ | Parsers | Hits | Parsed | Unparsed | +----------------------------------+------+--------+----------+ | child-crowdsecurity/http-logs | 393 | 262 | 131 | | child-crowdsecurity/nginx-logs | 102 | 102 | - | | child-crowdsecurity/sshd-logs | 55 | - | 55 | | child-crowdsecurity/syslog-logs | 86 | 86 | - | | child-crowdsecurity/traefik-logs | 29 | 29 | - | | crowdsecurity/dateparse-enrich | 131 | 131 | - | | crowdsecurity/geoip-enrich | 131 | 131 | - | | crowdsecurity/github | 131 | 131 | - | | crowdsecurity/http-logs | 131 | 131 | - | | crowdsecurity/nginx-logs | 102 | 102 | - | | crowdsecurity/non-syslog | 131 | 131 | - | | crowdsecurity/sshd-logs | 5 | - | 5 | | crowdsecurity/syslog-logs | 86 | 86 | - | | crowdsecurity/traefik-logs | 29 | 29 | - | | crowdsecurity/whitelists | 262 | 262 | - | +----------------------------------+------+--------+----------+ Local API Metrics: +----------------------+--------+------+ | Route | Method | Hits | +----------------------+--------+------+ | /v1/decisions | DELETE | 1 | | /v1/decisions | GET | 8409 | | /v1/decisions/stream | GET | 26 | | /v1/heartbeat | GET | 4 | | /v1/watchers/login | POST | 2 | +----------------------+--------+------+ Local API Machines Metrics: +------------+---------------+--------+------+ | Machine | Route | Method | Hits | +------------+---------------+--------+------+ | HDA-Docker | /v1/decisions | DELETE | 1 | | HDA-Docker | /v1/heartbeat | GET | 4 | +------------+---------------+--------+------+ Local API Bouncers Metrics: +-------------------+----------------------+--------+------+ | Bouncer | Route | Method | Hits | +-------------------+----------------------+--------+------+ | cloudflarebouncer | /v1/decisions/stream | GET | 26 | | traefik-bouncer | /v1/decisions | GET | 8409 | +-------------------+----------------------+--------+------+ Local API Bouncers Decisions: +-----------------+---------------+-------------------+ | Bouncer | Empty answers | Non-empty answers | +-----------------+---------------+-------------------+ | traefik-bouncer | 8408 | 0 | +-----------------+---------------+-------------------+ Local API Decisions: +--------------------------------------------+----------+--------+-------+ | Reason | Origin | Action | Count | +--------------------------------------------+----------+--------+-------+ | LePresidente/authelia-bf | CAPI | ban | 5 | | crowdsecurity/grafana-cve-2021-43798 | CAPI | ban | 78 | | crowdsecurity/http-sensitive-files | CAPI | ban | 11 | | crowdsecurity/CVE-2022-42889 | CAPI | ban | 16 | | crowdsecurity/apache_log4j2_cve-2021-44228 | CAPI | ban | 418 | | crowdsecurity/http-generic-bf | CAPI | ban | 21 | | firehol_cruzit_web_attacks | lists | ban | 13252 | | firehol_greensnow | lists | ban | 6206 | | Dominic-Wagner/vaultwarden-bf | CAPI | ban | 20 | | crowdsecurity/http-crawl-non_statics | CAPI | ban | 654 | | crowdsecurity/spring4shell_cve-2022-22965 | CAPI | ban | 3 | | crowdsecurity/ssh-slow-bf | CAPI | ban | 22 | | crowdsecurity/CVE-2022-26134 | CAPI | ban | 175 | | crowdsecurity/CVE-2022-37042 | CAPI | ban | 23 | | crowdsecurity/http-bad-user-agent | crowdsec | ban | 2 | | crowdsecurity/http-bad-user-agent | CAPI | ban | 7877 | | crowdsecurity/jira_cve-2021-26086 | CAPI | ban | 24 | | crowdsecurity/thinkphp-cve-2018-20062 | CAPI | ban | 203 | | crowdsecurity/CVE-2019-18935 | CAPI | ban | 56 | | crowdsecurity/CVE-2022-41082 | CAPI | ban | 995 | | crowdsecurity/CVE-2022-41082 | crowdsec | ban | 1 | | crowdsecurity/http-open-proxy | CAPI | ban | 611 | | crowdsecurity/netgear_rce | CAPI | ban | 51 | | crowdsecurity/http-cve-2021-41773 | CAPI | ban | 30 | | crowdsecurity/http-path-traversal-probing | CAPI | ban | 103 | | crowdsecurity/CVE-2022-35914 | CAPI | ban | 58 | | crowdsecurity/http-backdoors-attempts | CAPI | ban | 1068 | | crowdsecurity/ssh-bf | CAPI | ban | 16643 | | crowdsecurity/f5-big-ip-cve-2020-5902 | CAPI | ban | 30 | | crowdsecurity/fortinet-cve-2018-13379 | CAPI | ban | 115 | | crowdsecurity/http-probing | crowdsec | ban | 14 | | crowdsecurity/http-probing | CAPI | ban | 3033 | | crowdsecurity/iptables-scan-multi_ports | CAPI | ban | 307 | | crowdsecurity/nginx-req-limit-exceeded | CAPI | ban | 197 | | otx-georgs-honeypot | lists | ban | 1142 | +--------------------------------------------+----------+--------+-------+ Local API Alerts: +------------------------------------+-------+ | Reason | Count | +------------------------------------+-------+ | crowdsecurity/http-probing | 32 | | crowdsecurity/http-sensitive-files | 2 | | crowdsecurity/CVE-2019-18935 | 1 | | crowdsecurity/CVE-2022-41082 | 6 | | crowdsecurity/http-bad-user-agent | 3 | +------------------------------------+-------+ ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

github-actions[bot] commented 10 months ago

@modem7: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
modem7 commented 10 months ago

Looks like by removing the syslogs, the CPU usage has gone down.

Will put this in pending whilst I monitor further.

modem7 commented 10 months ago

Nope, issue still remains.

image

image

LaurenceJJones commented 10 months ago

Could you dump and maybe send me the file

https://docs.crowdsec.net/docs/next/observability/pprof/#visualize-cpu-usage

Laurence@crowdsec.net

modem7 commented 10 months ago

If I try from inside the container:

docker exec -it Crowdsec /bin/bash
Crowsec:/# go tool pprof -http=:8081 http://localhost:6060/debug/pprof/profile
bash: go: command not found

If I try it from the host:

❯ go tool pprof -http=:8081 http://localhost:16934/debug/pprof/profile
Fetching profile over HTTP from http://localhost:16934/debug/pprof/profile
http://localhost:16934/debug/pprof/profile: Get "http://localhost:16934/debug/pprof/profile": read tcp [::1]:55028->[::1]:16934: read: connection reset by peer
failed to fetch any source profiles

I also tried (from host) as it looked like it was trying ipv6 in previous command:

❯ go tool pprof -http=:8081 http://127.0.0.1:16934/debug/pprof/profile
Fetching profile over HTTP from http://127.0.0.1:16934/debug/pprof/profile
http://127.0.0.1:16934/debug/pprof/profile: Get "http://127.0.0.1:16934/debug/pprof/profile": read tcp 127.0.0.1:60706->127.0.0.1:16934: read: connection reset by peer
failed to fetch any source profiles
❯ go tool pprof -http=:8081 http://192.168.50.254:16934/debug/pprof/profile
Fetching profile over HTTP from http://192.168.50.254:16934/debug/pprof/profile
http://192.168.50.254:16934/debug/pprof/profile: Get "http://192.168.50.254:16934/debug/pprof/profile": dial tcp 192.168.50.254:16934: connect: connection refused
failed to fetch any source profiles

After installing go in the Crowdsec container, I was able to get the file.

❯ docker exec -it Crowdsec /bin/bash
Crowsec:/# apk add go
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/13) Installing libgcc (12.2.1_git20220924-r10)
(2/13) Installing libstdc++ (12.2.1_git20220924-r10)
(3/13) Installing zstd-libs (1.5.5-r4)
(4/13) Installing binutils (2.40-r7)
(5/13) Installing libgomp (12.2.1_git20220924-r10)
(6/13) Installing libatomic (12.2.1_git20220924-r10)
(7/13) Installing gmp (6.2.1-r3)
(8/13) Installing isl26 (0.26-r1)
(9/13) Installing mpfr4 (4.2.0_p12-r0)
(10/13) Installing mpc1 (1.3.1-r1)
(11/13) Installing gcc (12.2.1_git20220924-r10)
(12/13) Installing musl-dev (1.2.4-r1)
(13/13) Installing go (1.20.8-r0)
Executing busybox-1.36.1-r2.trigger
OK: 326 MiB in 33 packages
Crowsec:/# go tool pprof -http=:8081 http://localhost:6060/debug/pprof/profile
Fetching profile over HTTP from http://localhost:6060/debug/pprof/profile
Saved profile in /root/pprof/pprof.crowdsec.samples.cpu.001.pb.gz
Serving web UI on http://localhost:8081
http://localhost:8081

Have sent the resulting files via email.

Thanks!