search

cvandeplas / suricata_stats

Statistics parsing for suricata
GNU General Public License v3.0
17 stars 6 forks source link

Suricata Stats in Zabbix 4 on Ubuntu 18.04 (python script error) #1

Open psanwald opened 5 years ago

psanwald commented 5 years ago

This project is a great idea! Thank you so much for sharing. Iam trying to get this running with zabbix 4. I had to delete the connection to the linux server template and some items from the template itself because of an internal zabbix issue (https://support.zabbix.com/browse/ZBX-11916). I didn't receive any latest data yet and when I call the python script (as it is called with the cronjob) I receive this error:

Traceback (most recent call last): File "/etc/zabbix/scripts/suricata_stats.py", line 35, in var, section, value = line.split('|') ValueError: need more than 1 value to unpack

Do you have a hint for me on how to solve this?

cvandeplas commented 5 years ago

It seems your line contains something unexpected. Suricata is a tool that evolves quite actively and this script hasn't been updated for a long time as I don't use this anymore in production. To see what the line contains just do a print(line) after the for line in f_content: Then run the script manually and you should see what's going on and which line fails splitting.

Some side questions: Did you change the variables in the python script? things like

threads = 8                                     # set here the number of threads configured in suricata.yaml

Having an export from your stats.log could be valuable to troubleshoot.

psanwald commented 5 years ago

Thank you for answering. I did not change the variables in the python script. But I checked the stats.log in /var/log/suricata:

Date: 5/28/2019 -- 12:29:35 (uptime: 0d, 00h 01m 00s)

Counter | TM Name | Value

capture.kernel_packets | Total | 3710 decoder.pkts | Total | 3710

I guess the script expects only the table content and not the rows in the table top. I am not familiar with python, but changing the parsing part of the script as followed helped me, to get rid of the head:

... for line in f_content: if line.find("------") == -1: if line.find("|"): if line.find("Date:") == -1: if line.find("TM Name") == -1:

print(line)

                var, section, value = line.split('|')

...

Now the script seem to return valid data like:

  • suricata[decoder.udp] 91
  • suricata[decoder.avg_pkt_size] 262
  • suricata[tcp.memuse] 2293760
  • suricata[flow_mgr.rows_maxlen] 3 ...

.. and an error:

zabbix_sender: not found

Which is strange because zabbix-agent is installed on that machine. After google this I found out, zabbix_sender is no longer part of zabbix_agent. So I installed zabbix_sender: sudo apt-get install zabbix-sender

Now all error messages are gone. But the Zabbix Template / Trapper does not receive data. So, I call the script in verbose mode: python /etc/zabbix/scripts/suricata.py -z -v The bottom line shows, that all 43 attempts fail: ['info from server: "processed: 0; failed: 43; total: 43; seconds spent: 0.000667"\n', 'sent: 43; skipped: 0; total: 43\n'] Do you have an idea, how I can find out, why they fail?