[Oisf-users] stats.log - append / overwrite options?

Cloherty, Sean E scloherty at mitre.org
Fri Jun 9 19:32:36 UTC 2017 

Doesn't seem to work for stats.log.

-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Cloherty, Sean E
Sent: Friday, June 09, 2017 10:29 AM
To: Peter Manev <petermanev at gmail.com>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] stats.log - append / overwrite options?

Sounds good, thanks.. I know that some of the other logs have that parameter, but I didn't see it in the default .yaml file so I wasn't sure if that would work.

If it does then I can update the docs online if that would help.

Sean.

-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com]
Sent: Friday, June 09, 2017 02:52 AM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] stats.log - append / overwrite options?

On Thu, Jun 8, 2017 at 11:27 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> I am using Zabbix to track and display capture kernel packets and 
> capture kernel drops.  I am grabbing them from the stats.log using the 
> following parameters in the Zabbix config –
>
>
>
>       UserParameter=capture.kernel_packets[*],tac
> '/var/log/suricata/stats.log' | grep -m 1 capture.kernel_packets | awk 
> '/[0-9]/ {print $NF}'
>
>       UserParameter=capture.kernel_drops[*], tac 
> '/var/log/suricata/stats.log'  | grep 'capture.kernel_drops'|awk 
> '/[0-9]/ {print $NF}'
>
>
>
> Is there an option to overwrite the stats.log at every Suricata 
> restart?  I guess I could have ALL stats reported even if there is no 
> value, but I was wondering if there is another way of accomplishing this.
>
>


  # Stats.log contains data from various counters of the suricata engine.
  - stats:
      enabled: yes
      filename: stats.log
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
      #null-values: yes  # print counters that have value 0
      append: no

I think "append: no" would do what you are looking for.


>
> My current setup is good unless you restart. If there are no drops 
> since the recent restart, then the search will work backwards through 
> stats.log until it gets to the last drop entry which will not be valid 
> if there are no current drops.
>
>
>
> Thank you.
>
>
>
> Sean Cloherty
>
> InfoSec Engineer/Scientist, Lead
>
> MITRE Corporation
>
> office (781) 271-3707
>
> cell      (781) 697-8043
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list