opnsense, suricata & telegraf

[aimdev]

I am attempting to setup this combination following the instructions here,
https://www.influxdata.com/blog/network-security-monitoring-with-suricata-and-telegraf/

I added
- eve-log:
    enabled: yes
    filetype: unix_stream
    filename: /tmp/suricata-stats.sock
    types:
      - stats:
         threads: yes

to /usr/local/etc/suricata/custom.yaml

%YAML 1.1
---
# empty stub for custom modifications, add custom persistent config below

Note the word persistent.
This file is overwritten on an upgrade.(and possibly on other events?)

Why is this, and event it was not overwitten, will a subsequent directive overwrite the previous directive in suricata.yaml?

For telegraf a file /usr/local/etc/telegraf.d/suricata.conf was created.

[[input.suricata]]
  ## Data sink for Suricata stats log.
  # This is expected to be a filename of a
  # unix socket to be created for listening.
  source = "/var/run/suricata-stats.sock"

  # Delimiter for flattening field keys, e.g. subitem "alert" of "detect"
  # becomes "detect_alert" when delimiter is "_".
  delimiter = "_"

Despite telegraf being updated, this file survived.

To access the files in telegraf.d, (the recommended approach I believe, and works perfectly in debian)
the configdir values is required, or the files in telegraf.d will be ignored.
Here is one on a debian system (which works)

/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d

Here is the confdir variable in the telegraf service file

: ${telegraf_confdir:=""}

I am unsure if the configdir is passed as a ps -aux | grep telegraf results in

daemon: /usr/local/bin/telegraf[91692] (daemon)

I am unsure if this is the intended processing of suricata & telegraf, or its an oversite.

Prior to raising a bug/enhancement, I would appreciate the communities views.

Thanks

[koushun]

https://forum.opnsense.org/index.php?topic=16966.0

[aimdev]

I have looked at you thread, and while it will work, will it persist
1. reboot?
2. service restart?
3. upgrades to opnsense?

There is valid solution within telegraf which I hope will be implemented.

[franco]

Note the word persistent.
This file is overwritten on an upgrade.(and possibly on other events?)

https://github.com/opnsense/core/pull/5151#issuecomment-971257298

[koushun]

It will not persist, unless you write to the file that Franco suggested in the GitHub comment.

However, I have not looked into this for a bit, because I am still waiting for Telegraf in OPNsense to be updated to have the abilitity to parse alerts - https://github.com/influxdata/telegraf/releases - "v1.20.0 [2021-09-17]"

https://github.com/influxdata/telegraf/tree/master/plugins/inputs/suricata

[koushun]

Oh, wait - it is on the latest release.

[root@opnsense ~]$ telegraf --version
Telegraf 1.20.3

Hah! I have followed every release note and nowhere it has said the underlying software has been updated. Welp, I learned something new today - so is it safe to assume plugins are always *updated*, even though it does not say. .. I mean, the release notes are pretty good, but to also incorporate all the other bits and bytes-- would be awesome :)

Hmm. That would have been nice, to have somewhere in the GUI which says which version the plugin *actually* is.

I will look into this a bit more now. Cool!

[franco]

Documenting software versions in the plugin is plugin maintainer job. So far nobody does it. ;)


Cheers,
Franco