Monit alerts with Suricata

[Dantichrist]

I hope that this is the right place to ask this.

I have been trying to get alerts working for suricata, and haven't been able to get them to work. I do get alerts for anything else that I have set up so I know that I have the alert settings set up properly.

I have set it up as it is shown in the manual https://docs.opnsense.org/manual/monit.html verbatim but I'm not getting alerts when I have blocked entries in the suricata log.

One thing that is really strange thing that I noticed is that if I vi /usr/local/etc/monitrc I have this in the config:

check file SURICATA_ALERT with path "/var/log/suricata/eve.json"
   if content = \xe2\x80\x9cblocked\xe2\x80\x9d then alert

If I cat the same file I get this:

check file SURICATA_ALERT with path "/var/log/suricata/eve.json"
   if content = “blocked” then alert

If I look at it with less or more I get this:
check file SURICATA_ALERT with path "/var/log/suricata/eve.json"
   if content = <E2><80><9C>blocked<E2><80><9D> then alert

If I manually change "if content =" to blocked with vi I still don't get alerts even thought the status page in the UI shows that the service test is being triggered. If I reboot or make any changes to monit via the web interface it will change back to \xe2\x80\x9cblocked\xe2\x80\x9d.

I've spent a few days trying different things, and reading anything that I can get my hands on to to try to get this working and I'm out of ideas.

Can anyone give me any direction on what to try next? Thank you in advance for your time.

[QBANIN]

This setup works for me.

[Dantichrist]

Thank you for the reply. That's how I have it set up as well. The names are all that is different. I should have attached screen shots in the first post.

I only have four alert types set for "not on" and content failed isn't one of them.

[QBANIN]

IMO you are using wrong quotation marks
https://en.wikipedia.org/wiki/Quotation_mark

Take a closer look at both mine and your screenshot.

[Dantichrist]

Thank you for your reply. They are the same quotation marks that was copied directly from the Opnsense page covering monit. I'm not sure if the dark background has them looking different to you for some reason. Here is a screenshot with the stock theme. Tell me what the difference is because I don't see any.

My eyes aren't as good as they used to be because I'm old so who knows? lol

[QBANIN]

Try to copy-paste this:

Code: [Select]

content = "blocked"

[Dantichrist]

Done, and there was no change. Still no alert when I trigger it.

I've seen the forum thread that you got these settings from on here a few days ago. I copied/pasted those too with the same results. Literally the only difference is the naming scheme. The content itself is the same.

I can see when it's supposed to trigger because I can see "content match" on the status page.

One thing that I did notice is that after the updates today I don't see the weird differences with the monitrc file that I described in the OP.