[Oisf-users] Quick&Dirty(™) suricata stats.log to Graphite

[Victor Julien]

Interested in having this added to the contrib dir? If so, please submit
a patch!

On 07/18/2012 04:15 PM, Nikolay Denev wrote:
> Hello,
> 
> I've did this quick and very dirty perl script to feed my suricata stats.log to a graphite instance.
> Probably someone can find it useful.
> 
> P.S.: I'm not sure but it seems that the stats logging does support only regular filetype, and probably a socket can be even more efficient
> if the file is read only by a script.
> 
> 
> Here's the script :
> 
> 
> #!/usr/bin/perl
> 
> use strict;
> use warnings;
> use DateTime::Format::Strptime;
> use IO::Socket;
> 
> open SURISTAT, "/usr/bin/tail -F /var/log/suricata/stats.log |";
> 
> my $carbon_host = 'graphite.example.com';
> my $carbon_port = '2003';
> 
> my ($socket, $dp, $dt, $ts, $line, $oid, $val);
> my $hostname = `hostname -s`;
> chomp($hostname);
> my $base = "$hostname.suricata.stats";
> 
> while (<SURISTAT>) {
> 	$line = $_;
> 	chomp($line);
> 
> 	if ($line =~ m/^Date: (.*) -- (.*) \(uptime.*$/) {
> 		$dp = DateTime::Format::Strptime->new( pattern => '%m/%d/%Y %H:%M:%S' );
> 		$dt = $dp->parse_datetime("$1 $2");
> 		$ts = $dt->epoch;
> 		if ($socket) {
> 			close $socket;
> 		}
> 		$socket = new IO::Socket::INET (
> 			PeerAddr => $carbon_host,
> 			PeerPort => $carbon_port,
> 			Proto => 'tcp',
> 		);
> 		die "Unable to open socket: $!" unless ( $socket );
> 	} elsif ($ts && $line =~ m/^([a-zA-Z0-9\._\-]+)\s+\|.*\| ([0-9]+)/) {
> 		$oid = $1;
> 		$val = $2;
> 		printf $socket ("%s.%s %s %s\n", $base, $oid, $val, $ts);
> 	}
> }
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------