Show Posts
1
General Discussion / Unable to get Telegraf plugin to send IPS data (suricata)
« on: April 26, 2020, 09:27:49 pm »
Hi all,
I've been using other FWs for a while and am switching to OPNsense! I'm getting myself up to speed with OPNsense to prepare for a small but mission critical distributed environment. If my project is successful I plan to get some support for OPNsense project from the company.
I've been looking at this issue for a week now. The Telegraf plugin in OPNsense works great and could send all selected input sources to designated server (e.g. influxdb). I'm trying to see if Suricata logs/alerts could also be sent.
On influxdb site there are some descriptions of hooking up Suricata output to Telegraf using a unix_stream socket. I've edited the telegraf.conf and suricata.yaml files and restart the services. Didn't seem to work.
Do I need to install the suricata.go file somewhere on the OPNsense to make the config work? I haven't been able to find and .go files on the OPNsense.
Thanks for help!
My steps of changes:
1) Add config lines to /usr/local/etc/suricata/suricata.yaml:
- eve-log:
enabled: yes
type: unix_stream
filename: /var/run/suricata-stats.sock
types:
- stats:
threads: yes
2) restart suricata by #service suricata restart. Tested the socket by cat /var/run/suricata-stats.sock. A ton of text data looking like suricata output.
3) add lines to /usr/local/etc/telegraf.conf:
[[inputs.suricata]]
source = "/var/run/suricata-stats.sock"
delimiter = "_"
4) restart telegraf by #service telegraf restart. Not seeing new measurements (assuming new suricata dataset will create new measurements) being created in influxdb.
General instruction from influxdb site (note there are two minor mistakes. eve-log section of suricata should use "type" instead of "filetype". inputs.suricata statement in suricata.yaml was "input.suricata" without s)
https://github.com/influxdata/telegraf/tree/master/plugins/inputs/suricata
===============Software versions=========
suricata-4.1.6
Name : suricata
Version : 4.1.6
Installed on : Wed Jan 29 16:07:34 2020 EST
Origin : security/suricata
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : security
Licenses : GPLv2
Maintainer : franco@opnsense.org
Comment : High Performance Network IDS, IPS and Security Monitoring engine
Options :slight_smile:
==============================================
telegraf-1.14.1
Name : telegraf
Version : 1.14.1
Installed on : Fri Apr 24 11:46:09 2020 EDT
Origin : net-mgmt/telegraf
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : net-mgmt
Licenses : MIT
Maintainer : girgen@FreeBSD.org
Comment : Time-series data collection
Options :
PIE : on
RELRO : on
Annotations :
FreeBSD_version: 1102000
repo_type : binary
repository : OPNsense
Flat size : 63.4MiB
====================================
FreeBSD 11.2-RELEASE-p16-HBSD FreeBSD 11.2-RELEASE-p16-HBSD fc65add89c3(stable/20.1) amd64
I've been using other FWs for a while and am switching to OPNsense! I'm getting myself up to speed with OPNsense to prepare for a small but mission critical distributed environment. If my project is successful I plan to get some support for OPNsense project from the company.
I've been looking at this issue for a week now. The Telegraf plugin in OPNsense works great and could send all selected input sources to designated server (e.g. influxdb). I'm trying to see if Suricata logs/alerts could also be sent.
On influxdb site there are some descriptions of hooking up Suricata output to Telegraf using a unix_stream socket. I've edited the telegraf.conf and suricata.yaml files and restart the services. Didn't seem to work.
Do I need to install the suricata.go file somewhere on the OPNsense to make the config work? I haven't been able to find and .go files on the OPNsense.
Thanks for help!
My steps of changes:
1) Add config lines to /usr/local/etc/suricata/suricata.yaml:
- eve-log:
enabled: yes
type: unix_stream
filename: /var/run/suricata-stats.sock
types:
- stats:
threads: yes
2) restart suricata by #service suricata restart. Tested the socket by cat /var/run/suricata-stats.sock. A ton of text data looking like suricata output.
3) add lines to /usr/local/etc/telegraf.conf:
[[inputs.suricata]]
source = "/var/run/suricata-stats.sock"
delimiter = "_"
4) restart telegraf by #service telegraf restart. Not seeing new measurements (assuming new suricata dataset will create new measurements) being created in influxdb.
General instruction from influxdb site (note there are two minor mistakes. eve-log section of suricata should use "type" instead of "filetype". inputs.suricata statement in suricata.yaml was "input.suricata" without s)
https://github.com/influxdata/telegraf/tree/master/plugins/inputs/suricata
===============Software versions=========
suricata-4.1.6
Name : suricata
Version : 4.1.6
Installed on : Wed Jan 29 16:07:34 2020 EST
Origin : security/suricata
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : security
Licenses : GPLv2
Maintainer : franco@opnsense.org
Comment : High Performance Network IDS, IPS and Security Monitoring engine
Options :slight_smile:
==============================================
telegraf-1.14.1
Name : telegraf
Version : 1.14.1
Installed on : Fri Apr 24 11:46:09 2020 EDT
Origin : net-mgmt/telegraf
Architecture : FreeBSD:11:amd64
Prefix : /usr/local
Categories : net-mgmt
Licenses : MIT
Maintainer : girgen@FreeBSD.org
Comment : Time-series data collection
Options :
PIE : on
RELRO : on
Annotations :
FreeBSD_version: 1102000
repo_type : binary
repository : OPNsense
Flat size : 63.4MiB
====================================
FreeBSD 11.2-RELEASE-p16-HBSD FreeBSD 11.2-RELEASE-p16-HBSD fc65add89c3(stable/20.1) amd64