[Oisf-users] Suricata Heartbeat Alert
Alan Amesbury
amesbury at oitsec.umn.edu
Wed Aug 2 18:42:20 UTC 2017
On Jul 28, 2017, at 11:00 , oisf-users-request at lists.openinfosecfoundation.org wrote:
[snip - removing rest of digest]
> Date: Fri, 28 Jul 2017 13:37:58 +0000
> From: Charles Devoe <Charles.Devoe at cisecurity.org>
[snip]
> Is there a way to have Suricata create a heartbeat alert? This alert would be a dummy alert and would be used to let us know that the Suricata system is up and working and all of our ancillary functions are also working.
With Suricata's stats output enabled, it produces statistics about every eight seconds, according to
http://suricata.readthedocs.io/en/latest/performance/statistics.html
These show up in the EVE output, and should be usable for some sort of "heartbeat" tracking. It won't be an identical number per minute, because eight doesn't divide evenly into 60, but you should probably see 7 or 8 "stats" events every minute, even taking into account a "minute" might be 61 seconds long. (We're running a 3.x version of Suricata.)
I've not noticed any adverse performance impact for enabling stats output. (Note this is not the same as enabling profiling, which very much has an impact.)
--
Alan Amesbury
University Information Security
http://umn.edu/lookup/amesbury
More information about the Oisf-users
mailing list