[Oisf-users] stats.log - append / overwrite options?

Peter Manev petermanev at gmail.com
Fri Jun 9 20:38:01 UTC 2017 

On Fri, Jun 9, 2017 at 9:32 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> Doesn't seem to work for stats.log.

Can you please paste the stats.log section if possible?


>
> -----Original Message-----
> From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Cloherty, Sean E
> Sent: Friday, June 09, 2017 10:29 AM
> To: Peter Manev <petermanev at gmail.com>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] stats.log - append / overwrite options?
>
> Sounds good, thanks.. I know that some of the other logs have that parameter, but I didn't see it in the default .yaml file so I wasn't sure if that would work.
>
> If it does then I can update the docs online if that would help.
>
> Sean.
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Friday, June 09, 2017 02:52 AM
> To: Cloherty, Sean E <scloherty at mitre.org>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] stats.log - append / overwrite options?
>
> On Thu, Jun 8, 2017 at 11:27 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
>> I am using Zabbix to track and display capture kernel packets and
>> capture kernel drops.  I am grabbing them from the stats.log using the
>> following parameters in the Zabbix config –
>>
>>
>>
>>       UserParameter=capture.kernel_packets[*],tac
>> '/var/log/suricata/stats.log' | grep -m 1 capture.kernel_packets | awk
>> '/[0-9]/ {print $NF}'
>>
>>       UserParameter=capture.kernel_drops[*], tac
>> '/var/log/suricata/stats.log'  | grep 'capture.kernel_drops'|awk
>> '/[0-9]/ {print $NF}'
>>
>>
>>
>> Is there an option to overwrite the stats.log at every Suricata
>> restart?  I guess I could have ALL stats reported even if there is no
>> value, but I was wondering if there is another way of accomplishing this.
>>
>>
>
>
>   # Stats.log contains data from various counters of the suricata engine.
>   - stats:
>       enabled: yes
>       filename: stats.log
>       totals: yes       # stats for all threads merged together
>       threads: no       # per thread stats
>       #null-values: yes  # print counters that have value 0
>       append: no
>
> I think "append: no" would do what you are looking for.
>
>
>>
>> My current setup is good unless you restart. If there are no drops
>> since the recent restart, then the search will work backwards through
>> stats.log until it gets to the last drop entry which will not be valid
>> if there are no current drops.
>>
>>
>>
>> Thank you.
>>
>>
>>
>> Sean Cloherty
>>
>> InfoSec Engineer/Scientist, Lead
>>
>> MITRE Corporation
>>
>> office (781) 271-3707
>>
>> cell      (781) 697-8043
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list