NAME

Suricata::Monitoring - LibreNMS JSON SNMP extend and Nagios style check for Suricata stats

VERSION

Version 0.2.0

SYNOPSIS

    use Suricata::Monitoring;

    my $args = {
        mode               => 'librenms',
        drop_percent_warn  => .75;
        drop_percent_crit  => 1,
        error_delta_warn   => 1,
        error_delta_crit   => 2,
        error_percent_warn => .05,
        error_percent_crit => .1,
        files=>{
               'ids'=>'/var/log/suricata/alert-ids.json',
               'foo'=>'/var/log/suricata/alert-foo.json',
               },
    };

    my $sm=Suricata::Monitoring->new( $args );
    my $returned=$sm->run;
    $sm->print;
    exit $returned->{alert};

METHODS

new

Initiate the object.

The args are taken as a hash ref. The keys are documented as below.

The only must have is 'files'.

    - mode :: Wether the print_output output should be for Nagios or LibreNMS.
      - value :: 'librenms' or 'nagios'
      - Default :: librenms
    
    - drop_percent_warn :: Drop percent warning threshold.
      - Default :: .75;
        
    - drop_percent_crit :: Drop percent critical threshold.
      - Default :: 1
        
    - error_delta_warn :: Error delta warning threshold.
      - Default :: 1
    
    - error_delta_crit :: Error delta critical threshold.
      - Default :: 2
    
    - error_percent_warn :: Error percent warning threshold.
      - Default :: .05
    
    - error_percent_crit :: Error percent critical threshold.
      - Default :: .1
    
    - files :: A hash with the keys being the instance name and the values
      being the Eve files to read. ".total" is not a valid instance name.
      Similarly anything starting with a "." should be considred reserved.

    my $args = {
        mode               => 'librenms',
        drop_percent_warn  => .75;
        drop_percent_crit  => 1,
        error_delta_warn   => 1,
        error_delta_crit   => 2,
        error_percent_warn => .05,
        error_percent_crit => .1,
        files=>{
               'ids'=>'/var/log/suricata/alert-ids.json',
               'foo'=>'/var/log/suricata/alert-foo.json',
               },
    };

    my $sm=Suricata::Monitoring->new( $args );

run

This runs it and collects the data. Also updates the cache.

This will return a LibreNMS style hash.

    my $returned=$sm->run;

print_output

Prints the output.

    $sm->print_output;

LibreNMS HASH

    + $hash{'alert'} :: Alert status.
      - 0 :: OK
      - 1 :: WARNING
      - 2 :: CRITICAL
      - 3 :: UNKNOWN
    
    + $hash{'alertString'} :: A string describing the alert. Defaults to
      '' if there is no alert.
    
    + $hash{'error'} :: A integer representing a error. '0' represents
      everything is fine.
    
    + $hash{'errorString'} :: A string description of the error.
    
    + $hash{'data'}{$instance} :: Values migrated from the
      instance. *_delta values are created via computing the difference
      from the previously saved info. *_percent is based off of the delta
      in question over the packet delta. Delta are created for packet,
      drop, ifdrop, and error. Percents are made for drop, ifdrop, and
      error.
    
    + $hash{'data'}{'.total'} :: Total values of from all the
      intances. Any percents will be recomputed.
    

    The stat keys are migrated as below.
    
    uptime           => $json->{stats}{uptime},
    packets          => $json->{stats}{capture}{kernel_packets},
    dropped          => $json->{stats}{capture}{kernel_drops},
    ifdropped        => $json->{stats}{capture}{kernel_ifdrops},
    errors           => $json->{stats}{capture}{errors},
    bytes            => $json->{stats}{decoder}{bytes},
    dec_packets      => $json->{stats}{decoder}{pkts},
    dec_invalid      => $json->{stats}{decoder}{invalid},
    dec_ipv4         => $json->{stats}{decoder}{ipv4},
    dec_ipv6         => $json->{stats}{decoder}{ipv6},
    dec_udp          => $json->{stats}{decoder}{udp},
    dec_tcp          => $json->{stats}{decoder}{tcp},
    dec_avg_pkt_size => $json->{stats}{decoder}{avg_pkt_size},
    dec_max_pkt_size => $json->{stats}{decoder}{max_pkt_size},
    dec_chdlc          => $json->{stats}{decoder}{chdlc},
    dec_ethernet       => $json->{stats}{decoder}{ethernet},
    dec_geneve         => $json->{stats}{decoder}{geneve},
    dec_ieee8021ah     => $json->{stats}{decoder}{ieee8021ah},
    dec_ipv4_in_ipv6   => $json->{stats}{decoder}{ipv6_in_ipv6},
    dec_mx_mac_addrs_d => $json->{stats}{decoder}{max_mac_addrs_dst},
    dec_mx_mac_addrs_s => $json->{stats}{decoder}{max_mac_addrs_src},
    dec_mpls           => $json->{stats}{decoder}{mpls},
    dec_ppp            => $json->{stats}{decoder}{ppp},
    dec_pppoe          => $json->{stats}{decoder}{pppoe},
    dec_raw            => $json->{stats}{decoder}{raw},
    dec_sctp           => $json->{stats}{decoder}{sctp},
    dec_sll            => $json->{stats}{decoder}{sll},
    dec_teredo         => $json->{stats}{decoder}{teredo},
    dec_too_many_layer => $json->{stats}{decoder}{too_many_layers},
    dec_vlan           => $json->{stats}{decoder}{vlan},
    dec_vlan_qinq      => $json->{stats}{decoder}{vlan_qinq},
    dec_vntag          => $json->{stats}{decoder}{vntag},
    dec_vxlan          => $json->{stats}{decoder}{vxlan},
    f_tcp              => $json->{stats}{flow}{tcp},
    f_udp              => $json->{stats}{flow}{udp},
    f_icmpv4           => $json->{stats}{flow}{icmpv4},
    f_icmpv6           => $json->{stats}{flow}{icmpv6},
    f_memuse           => $json->{stats}{flow}{memuse},
    ftp_memuse         => $json->{stats}{ftp}{memuse},
    http_memuse        => $json->{stats}{http}{memuse},
    tcp_memuse         => $json->{stats}{tcp}{memuse},
    tcp_reass_memuse   => $json->{stats}{tcp}{reassembly_memuse},
    af_*               => $json->{stats}{app_layer}{flow}{*}
    at_*               => $json->{stats}{app_layer}{tx}{*}

AUTHOR

Zane C. Bowers-Hadley, <vvelox at vvelox.net>

BUGS

Please report any bugs or feature requests to bug-suricata-monitoring at rt.cpan.org, or through the web interface at https://rt.cpan.org/NoAuth/ReportBug.html?Queue=Suricata-Monitoring. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

    perldoc Suricata::Monitoring

You can also look for information at:

RT: CPAN's request tracker (report bugs here)

https://rt.cpan.org/NoAuth/Bugs.html?Dist=Suricata-Monitoring
CPAN Ratings

https://cpanratings.perl.org/d/Suricata-Monitoring
Search CPAN

https://metacpan.org/release/Suricata-Monitoring

"Suricata-Monitoring.git" in git@github.com:VVelox

Web

https://github.com/VVelox/Suricata-Monitoring

ACKNOWLEDGEMENTS

LICENSE AND COPYRIGHT

This is free software, licensed under:

  The Artistic License 2.0 (GPL Compatible)

3 POD Errors

The following errors were encountered while parsing the POD:

Around line 752:: Unknown directive: =head
Around line 756:: '=item' outside of any '=over'
Around line 760:: You forgot a '=back' before '=head1'

To install Suricata::Monitoring, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Suricata::Monitoring

CPAN shell

perl -MCPAN -e shell
install Suricata::Monitoring

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)