Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
opnsense, suricata & telegraf
« previous
next »
Print
Pages: [
1
]
Author
Topic: opnsense, suricata & telegraf (Read 3929 times)
aimdev
Full Member
Posts: 126
Karma: 5
opnsense, suricata & telegraf
«
on:
October 29, 2021, 12:44:23 pm »
I am attempting to setup this combination following the instructions here,
https://www.influxdata.com/blog/network-security-monitoring-with-suricata-and-telegraf/
I added
- eve-log:
enabled: yes
filetype: unix_stream
filename: /tmp/suricata-stats.sock
types:
- stats:
threads: yes
to /usr/local/etc/suricata/custom.yaml
%YAML 1.1
---
# empty stub for custom modifications, add custom persistent config below
Note the word persistent.
This file is overwritten on an upgrade.(and possibly on other events?)
Why is this, and event it was not overwitten, will a subsequent directive overwrite the previous directive in suricata.yaml?
For telegraf a file /usr/local/etc/telegraf.d/suricata.conf was created.
[[input.suricata]]
## Data sink for Suricata stats log.
# This is expected to be a filename of a
# unix socket to be created for listening.
source = "/var/run/suricata-stats.sock"
# Delimiter for flattening field keys, e.g. subitem "alert" of "detect"
# becomes "detect_alert" when delimiter is "_".
delimiter = "_"
Despite telegraf being updated, this file survived.
To access the files in telegraf.d, (the recommended approach I believe, and works perfectly in debian)
the configdir values is required, or the files in telegraf.d will be ignored.
Here is one on a debian system (which works)
/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d
Here is the confdir variable in the telegraf service file
: ${telegraf_confdir:=""}
I am unsure if the configdir is passed as a ps -aux | grep telegraf results in
daemon: /usr/local/bin/telegraf[91692] (daemon)
I am unsure if this is the intended processing of suricata & telegraf, or its an oversite.
Prior to raising a bug/enhancement, I would appreciate the communities views.
Thanks
Logged
koushun
Jr. Member
Posts: 95
Karma: 9
Digital pimp hard at work.
Re: opnsense, suricata & telegraf
«
Reply #1 on:
November 16, 2021, 07:22:36 pm »
https://forum.opnsense.org/index.php?topic=16966.0
Logged
Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
aimdev
Full Member
Posts: 126
Karma: 5
Re: opnsense, suricata & telegraf
«
Reply #2 on:
November 16, 2021, 07:28:00 pm »
I have looked at you thread, and while it will work, will it persist
1. reboot?
2. service restart?
3. upgrades to opnsense?
There is valid solution within telegraf which I hope will be implemented.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: opnsense, suricata & telegraf
«
Reply #3 on:
November 17, 2021, 07:47:37 am »
Quote from: aimdev on October 29, 2021, 12:44:23 pm
Note the word persistent.
This file is overwritten on an upgrade.(and possibly on other events?)
https://github.com/opnsense/core/pull/5151#issuecomment-971257298
Logged
koushun
Jr. Member
Posts: 95
Karma: 9
Digital pimp hard at work.
Re: opnsense, suricata & telegraf
«
Reply #4 on:
November 17, 2021, 10:14:11 am »
It will not persist, unless you write to the file that Franco suggested in the GitHub comment.
However, I have not looked into this for a bit, because I am still waiting for Telegraf in OPNsense to be updated to have the abilitity to parse alerts -
https://github.com/influxdata/telegraf/releases
- "v1.20.0 [2021-09-17]"
https://github.com/influxdata/telegraf/tree/master/plugins/inputs/suricata
Logged
Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
koushun
Jr. Member
Posts: 95
Karma: 9
Digital pimp hard at work.
Re: opnsense, suricata & telegraf
«
Reply #5 on:
November 17, 2021, 10:18:42 am »
Oh, wait - it is on the latest release.
[root@opnsense ~]$ telegraf --version
Telegraf 1.20.3
Hah! I have followed every release note and nowhere it has said the underlying software has been updated. Welp, I learned something new today - so is it safe to assume plugins are always *updated*, even though it does not say. .. I mean, the release notes are pretty good, but to also incorporate all the other bits and bytes-- would be awesome
Hmm. That would have been nice, to have somewhere in the GUI which says which version the plugin *actually* is.
I will look into this a bit more now. Cool!
«
Last Edit: November 17, 2021, 10:31:36 am by koushun
»
Logged
Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: opnsense, suricata & telegraf
«
Reply #6 on:
November 17, 2021, 11:02:02 am »
Documenting software versions in the plugin is plugin maintainer job. So far nobody does it.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
opnsense, suricata & telegraf