[Oisf-users] Quick&Dirty(™) suricata stats.log to Graphite
Nikolay Denev
ndenev at gmail.com
Wed Jul 18 14:15:12 UTC 2012
Hello,
I've did this quick and very dirty perl script to feed my suricata stats.log to a graphite instance.
Probably someone can find it useful.
P.S.: I'm not sure but it seems that the stats logging does support only regular filetype, and probably a socket can be even more efficient
if the file is read only by a script.
Here's the script :
#!/usr/bin/perl
use strict;
use warnings;
use DateTime::Format::Strptime;
use IO::Socket;
open SURISTAT, "/usr/bin/tail -F /var/log/suricata/stats.log |";
my $carbon_host = 'graphite.example.com';
my $carbon_port = '2003';
my ($socket, $dp, $dt, $ts, $line, $oid, $val);
my $hostname = `hostname -s`;
chomp($hostname);
my $base = "$hostname.suricata.stats";
while (<SURISTAT>) {
$line = $_;
chomp($line);
if ($line =~ m/^Date: (.*) -- (.*) \(uptime.*$/) {
$dp = DateTime::Format::Strptime->new( pattern => '%m/%d/%Y %H:%M:%S' );
$dt = $dp->parse_datetime("$1 $2");
$ts = $dt->epoch;
if ($socket) {
close $socket;
}
$socket = new IO::Socket::INET (
PeerAddr => $carbon_host,
PeerPort => $carbon_port,
Proto => 'tcp',
);
die "Unable to open socket: $!" unless ( $socket );
} elsif ($ts && $line =~ m/^([a-zA-Z0-9\._\-]+)\s+\|.*\| ([0-9]+)/) {
$oid = $1;
$val = $2;
printf $socket ("%s.%s %s %s\n", $base, $oid, $val, $ts);
}
}
More information about the Oisf-users
mailing list