[Oisf-users] stats.log - append / overwrite options?

Peter Manev petermanev at gmail.com
Wed Jun 14 07:10:13 UTC 2017 

On Mon, Jun 12, 2017 at 9:39 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
>
> ##
> ## Step 3: select outputs to enable
> ##
>
>
> # The default logging directory.  Any log or output file will be
> # placed here if its not specified with a full path name. This can be
> # overridden with the -l command line parameter.
> default-log-dir: /var/log/suricata
>
> # global stats configuration
> stats:
>   enabled: yes
>   # The interval field (in seconds) controls at what interval
>   # the loggers are invoked.
>   totals: yes
>   threads: no
>   append: no
>   interval: 300
>


I just tested that config bellow  with the latest master:

  # Stats.log contains data from various counters of the suricata engine.
  - stats:
      enabled: yes
      filename: stats.log
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
      append: no
      #null-values: yes  # print counters that have value 0

works as expected.
I noticed in your config you only have "stats:" as opposed to
"-stats:" ? You should also double check if all indention is good.

>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Friday, June 09, 2017 16:38 PM
> To: Cloherty, Sean E <scloherty at mitre.org>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] stats.log - append / overwrite options?
>
> On Fri, Jun 9, 2017 at 9:32 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
>> Doesn't seem to work for stats.log.
>
> Can you please paste the stats.log section if possible?
>
>
>>
>> -----Original Message-----
>> From: Oisf-users
>> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf
>> Of Cloherty, Sean E
>> Sent: Friday, June 09, 2017 10:29 AM
>> To: Peter Manev <petermanev at gmail.com>
>> Cc: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] stats.log - append / overwrite options?
>>
>> Sounds good, thanks.. I know that some of the other logs have that parameter, but I didn't see it in the default .yaml file so I wasn't sure if that would work.
>>
>> If it does then I can update the docs online if that would help.
>>
>> Sean.
>>
>> -----Original Message-----
>> From: Peter Manev [mailto:petermanev at gmail.com]
>> Sent: Friday, June 09, 2017 02:52 AM
>> To: Cloherty, Sean E <scloherty at mitre.org>
>> Cc: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] stats.log - append / overwrite options?
>>
>> On Thu, Jun 8, 2017 at 11:27 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
>>> I am using Zabbix to track and display capture kernel packets and
>>> capture kernel drops.  I am grabbing them from the stats.log using
>>> the following parameters in the Zabbix config –
>>>
>>>
>>>
>>>       UserParameter=capture.kernel_packets[*],tac
>>> '/var/log/suricata/stats.log' | grep -m 1 capture.kernel_packets |
>>> awk '/[0-9]/ {print $NF}'
>>>
>>>       UserParameter=capture.kernel_drops[*], tac
>>> '/var/log/suricata/stats.log'  | grep 'capture.kernel_drops'|awk
>>> '/[0-9]/ {print $NF}'
>>>
>>>
>>>
>>> Is there an option to overwrite the stats.log at every Suricata
>>> restart?  I guess I could have ALL stats reported even if there is no
>>> value, but I was wondering if there is another way of accomplishing this.
>>>
>>>
>>
>>
>>   # Stats.log contains data from various counters of the suricata engine.
>>   - stats:
>>       enabled: yes
>>       filename: stats.log
>>       totals: yes       # stats for all threads merged together
>>       threads: no       # per thread stats
>>       #null-values: yes  # print counters that have value 0
>>       append: no
>>
>> I think "append: no" would do what you are looking for.
>>
>>
>>>
>>> My current setup is good unless you restart. If there are no drops
>>> since the recent restart, then the search will work backwards through
>>> stats.log until it gets to the last drop entry which will not be
>>> valid if there are no current drops.
>>>
>>>
>>>
>>> Thank you.
>>>
>>>
>>>
>>> Sean Cloherty
>>>
>>> InfoSec Engineer/Scientist, Lead
>>>
>>> MITRE Corporation
>>>
>>> office (781) 271-3707
>>>
>>> cell      (781) 697-8043
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
> --
> Regards,
> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list