Suricata::Monitoring - LibreNMS JSON SNMP extend and Nagios style check for Suricata stats
Version 0.3.0
use Suricata::Monitoring; my $args = { mode => 'librenms', drop_percent_warn => .75; drop_percent_crit => 1, error_delta_warn => 1, error_delta_crit => 2, error_percent_warn => .05, error_percent_crit => .1, files=>{ 'ids'=>'/var/log/suricata/alert-ids.json', 'foo'=>'/var/log/suricata/alert-foo.json', }, }; my $sm=Suricata::Monitoring->new( $args ); my $returned=$sm->run; $sm->print; exit $returned->{alert};
Initiate the object.
The args are taken as a hash ref. The keys are documented as below.
The only must have is 'files'.
- mode :: Wether the print_output output should be for Nagios or LibreNMS. - value :: 'librenms' or 'nagios' - Default :: librenms - drop_percent_warn :: Drop percent warning threshold. - Default :: .75; - drop_percent_crit :: Drop percent critical threshold. - Default :: 1 - error_delta_warn :: Error delta warning threshold. - Default :: 1 - error_delta_crit :: Error delta critical threshold. - Default :: 2 - error_percent_warn :: Error percent warning threshold. - Default :: .05 - error_percent_crit :: Error percent critical threshold. - Default :: .1 - max_age :: How far back to read in seconds. - Default :: 360 - files :: A hash with the keys being the instance name and the values being the Eve files to read. ".total" is not a valid instance name. Similarly anything starting with a "." should be considred reserved. my $args = { mode => 'librenms', drop_percent_warn => .75; drop_percent_crit => 1, error_delta_warn => 1, error_delta_crit => 2, error_percent_warn => .05, error_percent_crit => .1, max_age => 360, files=>{ 'ids'=>'/var/log/suricata/alert-ids.json', 'foo'=>'/var/log/suricata/alert-foo.json', }, }; my $sm=Suricata::Monitoring->new( $args );
This runs it and collects the data. Also updates the cache.
This will return a LibreNMS style hash.
my $returned=$sm->run;
Prints the output.
$sm->print_output;
+ $hash{'alert'} :: Alert status. - 0 :: OK - 1 :: WARNING - 2 :: CRITICAL - 3 :: UNKNOWN + $hash{'alertString'} :: A string describing the alert. Defaults to '' if there is no alert. + $hash{'error'} :: A integer representing a error. '0' represents everything is fine. + $hash{'errorString'} :: A string description of the error. + $hash{'data'}{$instance} :: Values migrated from the instance. *_delta values are created via computing the difference from the previously saved info. *_percent is based off of the delta in question over the packet delta. Delta are created for packet, drop, ifdrop, and error. Percents are made for drop, ifdrop, and error. + $hash{'data'}{'.total'} :: Total values of from all the intances. Any percents will be recomputed. The stat keys are migrated as below. uptime => $json->{stats}{uptime}, packets => $json->{stats}{capture}{kernel_packets}, dropped => $json->{stats}{capture}{kernel_drops}, ifdropped => $json->{stats}{capture}{kernel_ifdrops}, errors => $json->{stats}{capture}{errors}, bytes => $json->{stats}{decoder}{bytes}, dec_packets => $json->{stats}{decoder}{pkts}, dec_invalid => $json->{stats}{decoder}{invalid}, dec_ipv4 => $json->{stats}{decoder}{ipv4}, dec_ipv6 => $json->{stats}{decoder}{ipv6}, dec_udp => $json->{stats}{decoder}{udp}, dec_tcp => $json->{stats}{decoder}{tcp}, dec_avg_pkt_size => $json->{stats}{decoder}{avg_pkt_size}, dec_max_pkt_size => $json->{stats}{decoder}{max_pkt_size}, dec_chdlc => $json->{stats}{decoder}{chdlc}, dec_ethernet => $json->{stats}{decoder}{ethernet}, dec_geneve => $json->{stats}{decoder}{geneve}, dec_ieee8021ah => $json->{stats}{decoder}{ieee8021ah}, dec_ipv4_in_ipv6 => $json->{stats}{decoder}{ipv6_in_ipv6}, dec_mx_mac_addrs_d => $json->{stats}{decoder}{max_mac_addrs_dst}, dec_mx_mac_addrs_s => $json->{stats}{decoder}{max_mac_addrs_src}, dec_mpls => $json->{stats}{decoder}{mpls}, dec_ppp => $json->{stats}{decoder}{ppp}, dec_pppoe => $json->{stats}{decoder}{pppoe}, dec_raw => $json->{stats}{decoder}{raw}, dec_sctp => $json->{stats}{decoder}{sctp}, dec_sll => $json->{stats}{decoder}{sll}, dec_teredo => $json->{stats}{decoder}{teredo}, dec_too_many_layer => $json->{stats}{decoder}{too_many_layers}, dec_vlan => $json->{stats}{decoder}{vlan}, dec_vlan_qinq => $json->{stats}{decoder}{vlan_qinq}, dec_vntag => $json->{stats}{decoder}{vntag}, dec_vxlan => $json->{stats}{decoder}{vxlan}, f_tcp => $json->{stats}{flow}{tcp}, f_udp => $json->{stats}{flow}{udp}, f_icmpv4 => $json->{stats}{flow}{icmpv4}, f_icmpv6 => $json->{stats}{flow}{icmpv6}, f_memuse => $json->{stats}{flow}{memuse}, ftp_memuse => $json->{stats}{ftp}{memuse}, http_memuse => $json->{stats}{http}{memuse}, tcp_memuse => $json->{stats}{tcp}{memuse}, tcp_reass_memuse => $json->{stats}{tcp}{reassembly_memuse}, af_* => $json->{stats}{app_layer}{flow}{*} at_* => $json->{stats}{app_layer}{tx}{*}
Zane C. Bowers-Hadley, <vvelox at vvelox.net>
<vvelox at vvelox.net>
Please report any bugs or feature requests to bug-suricata-monitoring at rt.cpan.org, or through the web interface at https://rt.cpan.org/NoAuth/ReportBug.html?Queue=Suricata-Monitoring. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
bug-suricata-monitoring at rt.cpan.org
You can find documentation for this module with the perldoc command.
perldoc Suricata::Monitoring
You can also look for information at:
RT: CPAN's request tracker (report bugs here)
https://rt.cpan.org/NoAuth/Bugs.html?Dist=Suricata-Monitoring
CPAN Ratings
https://cpanratings.perl.org/d/Suricata-Monitoring
Search CPAN
https://metacpan.org/release/Suricata-Monitoring
"Suricata-Monitoring.git" in git@github.com:VVelox
Web
https://github.com/VVelox/Suricata-Monitoring
This software is Copyright (c) 2022 by Zane C. Bowers-Hadley.
This is free software, licensed under:
The Artistic License 2.0 (GPL Compatible)
3 POD Errors
The following errors were encountered while parsing the POD:
Unknown directive: =head
'=item' outside of any '=over'
You forgot a '=back' before '=head1'
To install Suricata::Monitoring, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Suricata::Monitoring
CPAN shell
perl -MCPAN -e shell install Suricata::Monitoring
For more information on module installation, please visit the detailed CPAN module installation guide.