[Oisf-users] stats.log - append / overwrite options?

Cloherty, Sean E scloherty at mitre.org
Mon Jun 12 19:39:50 UTC 2017 

##
## Step 3: select outputs to enable
##


# The default logging directory.  Any log or output file will be
# placed here if its not specified with a full path name. This can be
# overridden with the -l command line parameter.
default-log-dir: /var/log/suricata

# global stats configuration
stats:
  enabled: yes
  # The interval field (in seconds) controls at what interval
  # the loggers are invoked.
  totals: yes
  threads: no
  append: no
  interval: 300


-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Friday, June 09, 2017 16:38 PM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] stats.log - append / overwrite options?

On Fri, Jun 9, 2017 at 9:32 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> Doesn't seem to work for stats.log.

Can you please paste the stats.log section if possible?


>
> -----Original Message-----
> From: Oisf-users 
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
> Of Cloherty, Sean E
> Sent: Friday, June 09, 2017 10:29 AM
> To: Peter Manev <petermanev at gmail.com>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] stats.log - append / overwrite options?
>
> Sounds good, thanks.. I know that some of the other logs have that parameter, but I didn't see it in the default .yaml file so I wasn't sure if that would work.
>
> If it does then I can update the docs online if that would help.
>
> Sean.
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Friday, June 09, 2017 02:52 AM
> To: Cloherty, Sean E <scloherty at mitre.org>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] stats.log - append / overwrite options?
>
> On Thu, Jun 8, 2017 at 11:27 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
>> I am using Zabbix to track and display capture kernel packets and 
>> capture kernel drops.  I am grabbing them from the stats.log using 
>> the following parameters in the Zabbix config –
>>
>>
>>
>>       UserParameter=capture.kernel_packets[*],tac
>> '/var/log/suricata/stats.log' | grep -m 1 capture.kernel_packets | 
>> awk '/[0-9]/ {print $NF}'
>>
>>       UserParameter=capture.kernel_drops[*], tac 
>> '/var/log/suricata/stats.log'  | grep 'capture.kernel_drops'|awk 
>> '/[0-9]/ {print $NF}'
>>
>>
>>
>> Is there an option to overwrite the stats.log at every Suricata 
>> restart?  I guess I could have ALL stats reported even if there is no 
>> value, but I was wondering if there is another way of accomplishing this.
>>
>>
>
>
>   # Stats.log contains data from various counters of the suricata engine.
>   - stats:
>       enabled: yes
>       filename: stats.log
>       totals: yes       # stats for all threads merged together
>       threads: no       # per thread stats
>       #null-values: yes  # print counters that have value 0
>       append: no
>
> I think "append: no" would do what you are looking for.
>
>
>>
>> My current setup is good unless you restart. If there are no drops 
>> since the recent restart, then the search will work backwards through 
>> stats.log until it gets to the last drop entry which will not be 
>> valid if there are no current drops.
>>
>>
>>
>> Thank you.
>>
>>
>>
>> Sean Cloherty
>>
>> InfoSec Engineer/Scientist, Lead
>>
>> MITRE Corporation
>>
>> office (781) 271-3707
>>
>> cell      (781) 697-8043
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



--
Regards,
Peter Manev

More information about the Oisf-users mailing list