[Oisf-users] Quick&Dirty(™) suricata stats.log to Graphite
Victor Julien
victor at inliniac.net
Tue Aug 7 16:03:14 UTC 2012
Interested in having this added to the contrib dir? If so, please submit
a patch!
On 07/18/2012 04:15 PM, Nikolay Denev wrote:
> Hello,
>
> I've did this quick and very dirty perl script to feed my suricata stats.log to a graphite instance.
> Probably someone can find it useful.
>
> P.S.: I'm not sure but it seems that the stats logging does support only regular filetype, and probably a socket can be even more efficient
> if the file is read only by a script.
>
>
> Here's the script :
>
>
> #!/usr/bin/perl
>
> use strict;
> use warnings;
> use DateTime::Format::Strptime;
> use IO::Socket;
>
> open SURISTAT, "/usr/bin/tail -F /var/log/suricata/stats.log |";
>
> my $carbon_host = 'graphite.example.com';
> my $carbon_port = '2003';
>
> my ($socket, $dp, $dt, $ts, $line, $oid, $val);
> my $hostname = `hostname -s`;
> chomp($hostname);
> my $base = "$hostname.suricata.stats";
>
> while (<SURISTAT>) {
> $line = $_;
> chomp($line);
>
> if ($line =~ m/^Date: (.*) -- (.*) \(uptime.*$/) {
> $dp = DateTime::Format::Strptime->new( pattern => '%m/%d/%Y %H:%M:%S' );
> $dt = $dp->parse_datetime("$1 $2");
> $ts = $dt->epoch;
> if ($socket) {
> close $socket;
> }
> $socket = new IO::Socket::INET (
> PeerAddr => $carbon_host,
> PeerPort => $carbon_port,
> Proto => 'tcp',
> );
> die "Unable to open socket: $!" unless ( $socket );
> } elsif ($ts && $line =~ m/^([a-zA-Z0-9\._\-]+)\s+\|.*\| ([0-9]+)/) {
> $oid = $1;
> $val = $2;
> printf $socket ("%s.%s %s %s\n", $base, $oid, $val, $ts);
> }
> }
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list