[Oisf-users] stats.log - append / overwrite options?
Cloherty, Sean E
scloherty at mitre.org
Fri Jun 9 19:32:36 UTC 2017
Doesn't seem to work for stats.log.
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Cloherty, Sean E
Sent: Friday, June 09, 2017 10:29 AM
To: Peter Manev <petermanev at gmail.com>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] stats.log - append / overwrite options?
Sounds good, thanks.. I know that some of the other logs have that parameter, but I didn't see it in the default .yaml file so I wasn't sure if that would work.
If it does then I can update the docs online if that would help.
Sean.
-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com]
Sent: Friday, June 09, 2017 02:52 AM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] stats.log - append / overwrite options?
On Thu, Jun 8, 2017 at 11:27 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> I am using Zabbix to track and display capture kernel packets and
> capture kernel drops. I am grabbing them from the stats.log using the
> following parameters in the Zabbix config –
>
>
>
> UserParameter=capture.kernel_packets[*],tac
> '/var/log/suricata/stats.log' | grep -m 1 capture.kernel_packets | awk
> '/[0-9]/ {print $NF}'
>
> UserParameter=capture.kernel_drops[*], tac
> '/var/log/suricata/stats.log' | grep 'capture.kernel_drops'|awk
> '/[0-9]/ {print $NF}'
>
>
>
> Is there an option to overwrite the stats.log at every Suricata
> restart? I guess I could have ALL stats reported even if there is no
> value, but I was wondering if there is another way of accomplishing this.
>
>
# Stats.log contains data from various counters of the suricata engine.
- stats:
enabled: yes
filename: stats.log
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0
append: no
I think "append: no" would do what you are looking for.
>
> My current setup is good unless you restart. If there are no drops
> since the recent restart, then the search will work backwards through
> stats.log until it gets to the last drop entry which will not be valid
> if there are no current drops.
>
>
>
> Thank you.
>
>
>
> Sean Cloherty
>
> InfoSec Engineer/Scientist, Lead
>
> MITRE Corporation
>
> office (781) 271-3707
>
> cell (781) 697-8043
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list