NAME
Suricata::Monitoring - LibreNMS JSON SNMP extend and Nagios style check for Suricata stats
VERSION
Version 0.3.0
SYNOPSIS
use Suricata::Monitoring;
my $args = {
mode => 'librenms',
drop_percent_warn => .75;
drop_percent_crit => 1,
error_delta_warn => 1,
error_delta_crit => 2,
error_percent_warn => .05,
error_percent_crit => .1,
files=>{
'ids'=>'/var/log/suricata/alert-ids.json',
'foo'=>'/var/log/suricata/alert-foo.json',
},
};
my $sm=Suricata::Monitoring->new( $args );
my $returned=$sm->run;
$sm->print;
exit $returned->{alert};METHODS
new
Initiate the object.
The args are taken as a hash ref. The keys are documented as below.
The only must have is 'files'.
- mode :: Wether the print_output output should be for Nagios or LibreNMS.
- value :: 'librenms' or 'nagios'
- Default :: librenms
- drop_percent_warn :: Drop percent warning threshold.
- Default :: .75;
- drop_percent_crit :: Drop percent critical threshold.
- Default :: 1
- error_delta_warn :: Error delta warning threshold.
- Default :: 1
- error_delta_crit :: Error delta critical threshold.
- Default :: 2
- error_percent_warn :: Error percent warning threshold.
- Default :: .05
- error_percent_crit :: Error percent critical threshold.
- Default :: .1
- max_age :: How far back to read in seconds.
- Default :: 360
- files :: A hash with the keys being the instance name and the values
being the Eve files to read. ".total" is not a valid instance name.
Similarly anything starting with a "." should be considred reserved.
my $args = {
mode => 'librenms',
drop_percent_warn => .75;
drop_percent_crit => 1,
error_delta_warn => 1,
error_delta_crit => 2,
error_percent_warn => .05,
error_percent_crit => .1,
max_age => 360,
files=>{
'ids'=>'/var/log/suricata/alert-ids.json',
'foo'=>'/var/log/suricata/alert-foo.json',
},
};
my $sm=Suricata::Monitoring->new( $args );run
This runs it and collects the data. Also updates the cache.
This will return a LibreNMS style hash.
my $returned=$sm->run;print_output
Prints the output.
$sm->print_output;LibreNMS HASH
+ $hash{'alert'} :: Alert status.
- 0 :: OK
- 1 :: WARNING
- 2 :: CRITICAL
- 3 :: UNKNOWN
+ $hash{'alertString'} :: A string describing the alert. Defaults to
'' if there is no alert.
+ $hash{'error'} :: A integer representing a error. '0' represents
everything is fine.
+ $hash{'errorString'} :: A string description of the error.
+ $hash{'data'}{$instance} :: Values migrated from the
instance. *_delta values are created via computing the difference
from the previously saved info. *_percent is based off of the delta
in question over the packet delta. Delta are created for packet,
drop, ifdrop, and error. Percents are made for drop, ifdrop, and
error.
+ $hash{'data'}{'.total'} :: Total values of from all the
intances. Any percents will be recomputed.
The stat keys are migrated as below.
uptime => $json->{stats}{uptime},
packets => $json->{stats}{capture}{kernel_packets},
dropped => $json->{stats}{capture}{kernel_drops},
ifdropped => $json->{stats}{capture}{kernel_ifdrops},
errors => $json->{stats}{capture}{errors},
bytes => $json->{stats}{decoder}{bytes},
dec_packets => $json->{stats}{decoder}{pkts},
dec_invalid => $json->{stats}{decoder}{invalid},
dec_ipv4 => $json->{stats}{decoder}{ipv4},
dec_ipv6 => $json->{stats}{decoder}{ipv6},
dec_udp => $json->{stats}{decoder}{udp},
dec_tcp => $json->{stats}{decoder}{tcp},
dec_avg_pkt_size => $json->{stats}{decoder}{avg_pkt_size},
dec_max_pkt_size => $json->{stats}{decoder}{max_pkt_size},
dec_chdlc => $json->{stats}{decoder}{chdlc},
dec_ethernet => $json->{stats}{decoder}{ethernet},
dec_geneve => $json->{stats}{decoder}{geneve},
dec_ieee8021ah => $json->{stats}{decoder}{ieee8021ah},
dec_ipv4_in_ipv6 => $json->{stats}{decoder}{ipv6_in_ipv6},
dec_mx_mac_addrs_d => $json->{stats}{decoder}{max_mac_addrs_dst},
dec_mx_mac_addrs_s => $json->{stats}{decoder}{max_mac_addrs_src},
dec_mpls => $json->{stats}{decoder}{mpls},
dec_ppp => $json->{stats}{decoder}{ppp},
dec_pppoe => $json->{stats}{decoder}{pppoe},
dec_raw => $json->{stats}{decoder}{raw},
dec_sctp => $json->{stats}{decoder}{sctp},
dec_sll => $json->{stats}{decoder}{sll},
dec_teredo => $json->{stats}{decoder}{teredo},
dec_too_many_layer => $json->{stats}{decoder}{too_many_layers},
dec_vlan => $json->{stats}{decoder}{vlan},
dec_vlan_qinq => $json->{stats}{decoder}{vlan_qinq},
dec_vntag => $json->{stats}{decoder}{vntag},
dec_vxlan => $json->{stats}{decoder}{vxlan},
f_tcp => $json->{stats}{flow}{tcp},
f_udp => $json->{stats}{flow}{udp},
f_icmpv4 => $json->{stats}{flow}{icmpv4},
f_icmpv6 => $json->{stats}{flow}{icmpv6},
f_memuse => $json->{stats}{flow}{memuse},
ftp_memuse => $json->{stats}{ftp}{memuse},
http_memuse => $json->{stats}{http}{memuse},
tcp_memuse => $json->{stats}{tcp}{memuse},
tcp_reass_memuse => $json->{stats}{tcp}{reassembly_memuse},
af_* => $json->{stats}{app_layer}{flow}{*}
at_* => $json->{stats}{app_layer}{tx}{*}AUTHOR
Zane C. Bowers-Hadley, <vvelox at vvelox.net>
BUGS
Please report any bugs or feature requests to bug-suricata-monitoring at rt.cpan.org, or through the web interface at https://rt.cpan.org/NoAuth/ReportBug.html?Queue=Suricata-Monitoring. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
SUPPORT
You can find documentation for this module with the perldoc command.
perldoc Suricata::MonitoringYou can also look for information at:
RT: CPAN's request tracker (report bugs here)
https://rt.cpan.org/NoAuth/Bugs.html?Dist=Suricata-Monitoring
CPAN Ratings
Search CPAN
"Suricata-Monitoring.git" in git@github.com:VVelox
ACKNOWLEDGEMENTS
LICENSE AND COPYRIGHT
This software is Copyright (c) 2022 by Zane C. Bowers-Hadley.
This is free software, licensed under:
The Artistic License 2.0 (GPL Compatible)3 POD Errors
The following errors were encountered while parsing the POD:
- Around line 756:
Unknown directive: =head
- Around line 760:
'=item' outside of any '=over'
- Around line 764:
You forgot a '=back' before '=head1'