root@opnsense:/usr/local/etc/suricata # service suricata restartsuricata not running? (check /var/run/suricata.pid).Starting suricata.23/7/2021 -- 21:29:25 - <Info> - Including configuration file installed_rules.yaml.23/7/2021 -- 21:29:25 - <Info> - Configuration node 'rule-files' redefined.23/7/2021 -- 21:29:25 - <Info> - Including configuration file custom.yaml.
root@opnsense:/usr/local/etc/suricata # vi custom.yaml %YAML 1.1---# empty stub for custom modifications, add custom persistent config below - eve-log: enabled: yes type: unix_stream filename: /tmp/suricata-stats.sock types: - stats: threads: yes
[[inputs.tail]] data_format = "json" files = ["/var/log/suricata/eve.json"] name_override = "suricata" tag_keys = ["event_type","src_ip","src_port","dest_ip","dest_port"] json_string_fields = ["*"]
[[inputs.suricata]]source = "/tmp/suricata-stats.sock"delimiter = "_"
srwxr-xr-x 1 telegraf wheel 0B Jul 26 20:29 /tmp/suricata-stats.sock
service suricata stopservice telegraf stop
pw group mod wheel -m telegrafpw groupshow wheelwheel:*:0:root,telegraf
outputs: - eve-log: enabled: yes filetype: unix_stream filename: /tmp/suricata-stats.sock types: - stats: threads: yes
[[inputs.suricata]] ## Data sink for Suricata stats log. # This is expected to be a filename of a # unix socket to be created for listening. source = "/tmp/suricata-stats.sock" # Delimiter for flattening field keys, e.g. subitem "alert" of "detect" # becomes "detect_alert" when delimiter is "_". delimiter = "_"
root@opnsense:/usr/local/etc/suricata # ls -alh /tmp/suricata-stats.sock srwxr-xr-x 1 telegraf wheel 0B Jul 26 23:24 /tmp/suricata-stats.sock
time="2021-07-26T23:24:20+02:00" level=error msg="failed to create cache directory. /.cache/snowflake, err: mkdir /.cache: permission denied. ignored\n" func="gosnowflake.(*defaultLogger).Errorf" file="log.go:120"time="2021-07-26T23:24:20+02:00" level=error msg="failed to open. Ignored. open /.cache/snowflake/ocsp_response_cache.json: no such file or directory\n" func="gosnowflake.(*defaultLogger).Errorf" file="log.go:120"2021-07-26T21:24:20Z I! Starting Telegraf 1.19.0
root@opnsense:/usr/local/etc/suricata # service suricata startStarting suricata.26/7/2021 -- 23:28:33 - <Info> - Including configuration file installed_rules.yaml.26/7/2021 -- 23:28:33 - <Info> - Configuration node 'rule-files' redefined.26/7/2021 -- 23:28:33 - <Info> - Including configuration file custom.yaml.
Jul 24 09:32:33 opnsense suricata[42065]: [100950] <Notice> -- This is Suricata version 5.0.7 RELEASE running in SYSTEM mode Jul 24 09:33:38 opnsense suricata[98999]: [101381] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 4 other sigs Jul 24 09:33:38 opnsense suricata[98999]: [101381] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2023741 and 4 other sigs Jul 24 09:33:38 opnsense suricata[98999]: [101381] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017557 and 1 other sigs Jul 24 09:33:38 opnsense suricata[98999]: [101381] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 other sigs Jul 24 09:33:38 opnsense suricata[98999]: [101381] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs Jul 24 09:33:38 opnsense suricata[98999]: [101381] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs Jul 24 09:33:38 opnsense suricata[98999]: [101381] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] -CLOG;???
2021-07-26T18:30:37Z E! [inputs.suricata] Error in plugin: unexpected end of JSON input
[[inputs.file]] files = ["/tmp/eve.json"] data_format = "json" json_time_key = "timestamp" tag_keys = ["event_type","src_ip","src_port","dest_ip","dest_port"] json_string_fields = ["*"]
tail -f /var/log/telegraf/telegraf.log2021-07-26T22:35:00Z E! [inputs.file] Error in plugin: invalid character '{' after top-level value
The above issue (multi-line json when using the tail plugin) is only an issue because the tail plugin reads and parses files one line at a time, hence the need for full and parseable (non-prettyprinted) data, regardless of the format.
{"timestamp":"2021-07-26T00:35:09.879746+0200","flow_id":1555495003216570,"in_iface":"re0_vlan50","event_type":"anomaly","src_ip":"192.168.50.100","src_port":28967,"dest_ip":"13.44.15.16","dest_port":57818,"proto":"TCP","app_proto":"tls","anomaly":{"type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
[[inputs.file]] files = ["/tmp/eve.json"] data_format = "json" json_string_fields = ["*"]
[[inputs.file]] files = ["/tmp/eve.json"] data_format = "json" tag_keys = ["event_type","src_ip","src_port","dest_ip","dest_port"] name_override = "suricata" json_time_key = "timestamp" json_time_format = "2006-01-02T15:04:05-0700"
from(bucket: "opnsense") |> range(start: v.timeRangeStart, stop: v.timeRangeStop) |> filter(fn: (r) => r["_measurement"] == "suricata") |> group(columns: ["_time"]) |> last() |> group() |> keep(columns: ["_time", "src_ip", "src_port","event_type","dest_ip", "dest_port"])