[Oisf-users] stats.log - append / overwrite options?
Peter Manev
petermanev at gmail.com
Fri Jun 9 06:52:04 UTC 2017
On Thu, Jun 8, 2017 at 11:27 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> I am using Zabbix to track and display capture kernel packets and capture
> kernel drops. I am grabbing them from the stats.log using the following
> parameters in the Zabbix config –
>
>
>
> UserParameter=capture.kernel_packets[*],tac
> '/var/log/suricata/stats.log' | grep -m 1 capture.kernel_packets | awk
> '/[0-9]/ {print $NF}'
>
> UserParameter=capture.kernel_drops[*], tac
> '/var/log/suricata/stats.log' | grep 'capture.kernel_drops'|awk '/[0-9]/
> {print $NF}'
>
>
>
> Is there an option to overwrite the stats.log at every Suricata restart? I
> guess I could have ALL stats reported even if there is no value, but I was
> wondering if there is another way of accomplishing this.
>
>
# Stats.log contains data from various counters of the suricata engine.
- stats:
enabled: yes
filename: stats.log
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0
append: no
I think "append: no" would do what you are looking for.
>
> My current setup is good unless you restart. If there are no drops since the
> recent restart, then the search will work backwards through stats.log until
> it gets to the last drop entry which will not be valid if there are no
> current drops.
>
>
>
> Thank you.
>
>
>
> Sean Cloherty
>
> InfoSec Engineer/Scientist, Lead
>
> MITRE Corporation
>
> office (781) 271-3707
>
> cell (781) 697-8043
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list