From 15599d467b00fd2133c5342df919017e4651c7cd Mon Sep 17 00:00:00 2001 From: Kameron Kenny <1267885+kkenny@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:40:15 -0400 Subject: [PATCH] stats --- .gitignore | 1 + Dockerfile | 2 +- .../nas81-stats-template.conf | 93 +++++++++++++++++++ config/syslog-ng.conf.d/nas81.conf | 4 +- docker-compose.yml | 2 +- 5 files changed, 97 insertions(+), 5 deletions(-) create mode 100644 config/syslog-ng.conf.d/nas81-stats-template.conf diff --git a/.gitignore b/.gitignore index 751553b..45355c1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.bak +*.swp diff --git a/Dockerfile b/Dockerfile index 4193f40..3c49c78 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM debian:latest MAINTAINER Kameron Kenny -LABEL version="20241028171952" +LABEL version="20241028174015" LABEL description="Debian Based syslog-ng" RUN apt-get update diff --git a/config/syslog-ng.conf.d/nas81-stats-template.conf b/config/syslog-ng.conf.d/nas81-stats-template.conf new file mode 100644 index 0000000..c23b2ec --- /dev/null +++ b/config/syslog-ng.conf.d/nas81-stats-template.conf @@ -0,0 +1,93 @@ +template t_suricata_nas81_stats { + template("{ \"timestamp\": \"${ISODATE}\", \"event_type\": \"stats\", \"stats\": { \ + \"uptime\": ${uptime}, \ + \"capture\": { \ + \"kernel_packets\": ${kernel_packets}, \ + \"kernel_drops\": ${kernel_drops}, \ + \"errors\": ${errors}, \ + \"afpacket\": { \ + \"busy_loop_avg\": ${busy_loop_avg}, \ + \"polls\": ${polls}, \ + \"poll_signal\": ${poll_signal}, \ + \"poll_timeout\": ${poll_timeout}, \ + \"poll_data\": ${poll_data}, \ + \"poll_errors\": ${poll_errors}, \ + \"send_errors\": ${send_errors} \ + } \ + }, \ + \"decoder\": { \ + \"pkts\": ${pkts}, \ + \"bytes\": ${bytes}, \ + \"invalid\": ${invalid}, \ + \"protocols\": { \ + \"ipv4\": ${ipv4}, \ + \"ipv6\": ${ipv6}, \ + \"ethernet\": ${ethernet}, \ + \"arp\": ${arp}, \ + \"tcp\": ${tcp}, \ + \"udp\": ${udp}, \ + \"icmp\": { \ + \"icmpv4\": ${icmpv4}, \ + \"icmpv6\": ${icmpv6} \ + }, \ + \"vlan\": ${vlan} \ + }, \ + \"errors\": { \ + \"trunc_pkt\": ${trunc_pkt}, \ + \"opt_pad_required\": ${opt_pad_required}, \ + \"zero_len_padn\": ${zero_len_padn} \ + } \ + }, \ + \"tcp\": { \ + \"syn\": ${syn}, \ + \"synack\": ${synack}, \ + \"rst\": ${rst}, \ + \"active_sessions\": ${active_sessions}, \ + \"sessions\": ${sessions}, \ + \"memuse\": ${memuse} \ + }, \ + \"flow\": { \ + \"total\": ${total_flow}, \ + \"active\": ${active_flow}, \ + \"tcp\": ${tcp_flow}, \ + \"udp\": ${udp_flow}, \ + \"icmp\": { \ + \"icmpv4\": ${icmpv4_flow}, \ + \"icmpv6\": ${icmpv6_flow} \ + } \ + }, \ + \"detect\": { \ + \"engines\": [{ \ + \"id\": ${engine_id}, \ + \"last_reload\": \"${last_reload}\", \ + \"rules_loaded\": ${rules_loaded}, \ + \"rules_failed\": ${rules_failed} \ + }], \ + \"alert\": { \ + \"count\": ${alert_count}, \ + \"suppressed\": ${alert_suppressed} \ + } \ + }, \ + \"app_layer\": { \ + \"flow\": { \ + \"http\": ${http_flow}, \ + \"tls\": ${tls_flow}, \ + \"dns\": { \ + \"udp\": ${dns_udp_flow} \ + }, \ + \"failed_tcp\": ${failed_tcp}, \ + \"failed_udp\": ${failed_udp} \ + } \ + }, \ + \"memory\": { \ + \"capture\": { \ + \"pressure\": ${memcap_pressure}, \ + \"pressure_max\": ${memcap_pressure_max} \ + }, \ + \"http\": { \ + \"memuse\": ${http_memuse} \ + } \ + } \ + }}\n"); +}; + diff --git a/config/syslog-ng.conf.d/nas81.conf b/config/syslog-ng.conf.d/nas81.conf index 57aba92..a7a0736 100644 --- a/config/syslog-ng.conf.d/nas81.conf +++ b/config/syslog-ng.conf.d/nas81.conf @@ -23,9 +23,7 @@ destination d_nas81_suricata_stats { index("nas81") type("") url("http://pi501.in.thelinuxpro.net:9200/_bulk") - template("$(format-json --scope rfc5424 --scope dot-nv-pairs - --rekey .* --shift 1 --scope nv-pairs - --exclude DATE @timestamp=${ISODATE})") + template(t_suricata_nas81_stats) persist-name("d_nas81_suricata_stats") ); }; diff --git a/docker-compose.yml b/docker-compose.yml index 7a42743..167aac4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,7 @@ services: syslog-ng: build: dockerfile: Dockerfile - image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:20241028171952 + image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:20241028174015 container_name: syslog-ng restart: unless-stopped networks: