Suricata Telegraf Input Plugin

Suricata is an open source threat detection engine that powers intrusion detection systems (IDS) and intrusion prevention systems (IPS). These systems protect your network by monitoring it for threats. They inspect traffic and identify and report security issues. This plugin takes internal data output by the Suricata IDS/IPS engine and formats it for Telegraf.

Why use the Suricata Telegraf Input Plugin?

The Suricata Telegraf Input Plugin lets you monitor internal performance counters of Suricata, including captured traffic volume, memory usage, uptime, flow counters, and more. It can also report Suricata IDS/IPS alerts. It takes the JSON data output by Suricata and processes it for easy use in Telegraf. This allows you to monitor statistics on how Suricata functions on your network and take action against security threats.

How to monitor Suricata using the Telegraf plugin

Suricata outputs a log with statistics in JSON format. To configure this plugin and capture that output for use with Telegraf, you can create an additional output in the Suricata configuration file. You set that as your source, choose a delimiter for flattening field keys, and set whether you also want to detect alert logs. FreeBSD users should check their local buffer size to ensure it has enough memory to transmit Suricata data without truncating it. The plugin cannot process truncated data properly. The Suricata plugin allows you to monitor Suricata on your network to get a clear view of how it detects and stops security threats.

Key Suricata metrics to use for monitoring

Some of the important Suricata metrics that you should proactively monitor include:

• suricata
  • tags:
    • thread: Global for global statistics (if enabled), thread IDs (e.g. W#03-enp0s31f6) for thread-specific statistics
  • fields:
    • app_layer_flow_dcerpc_udp
    • app_layer_flow_dns_tcp
    • app_layer_flow_dns_udp
    • app_layer_flow_enip_udp
    • app_layer_flow_failed_tcp
    • app_layer_flow_failed_udp
    • app_layer_flow_http
    • app_layer_flow_ssh
    • app_layer_flow_tls
    • app_layer_tx_dns_tcp
    • app_layer_tx_dns_udp
    • app_layer_tx_enip_udp
    • app_layer_tx_http
    • app_layer_tx_smtp
    • capture_kernel_drops
    • capture_kernel_packets
    • decoder_avg_pkt_size
    • decoder_bytes
    • decoder_ethernet
    • decoder_gre
    • decoder_icmpv4
    • decoder_icmpv4_ipv4_unknown_ver
    • decoder_icmpv6
    • decoder_invalid
    • decoder_ipv4
    • decoder_ipv6
    • decoder_max_pkt_size
    • decoder_pkts
    • decoder_tcp
    • decoder_tcp_hlen_too_small
    • decoder_tcp_invalid_optlen
    • decoder_teredo
    • decoder_udp
    • decoder_vlan
    • detect_alert
    • dns_memcap_global
    • dns_memuse
    • flow_memuse
    • flow_mgr_closed_pruned
    • flow_mgr_est_pruned
    • flow_mgr_flows_checked
    • flow_mgr_flows_notimeout
    • flow_mgr_flows_removed
    • flow_mgr_flows_timeout
    • flow_mgr_flows_timeout_inuse
    • flow_mgr_new_pruned
    • flow_mgr_rows_checked
    • flow_mgr_rows_empty
    • flow_mgr_rows_maxlen
    • flow_mgr_rows_skipped
    • flow_spare
    • flow_tcp_reuse
    • http_memuse
    • tcp_memuse
    • tcp_pseudo
    • tcp_reassembly_gap
    • tcp_reassembly_memuse
    • tcp_rst
    • tcp_sessions
    • tcp_syn
    • tcp_synack
• suricata_alert
  • fields:
    • action
    • gid
    • severity
    • signature
    • source_ip
    • source_port
    • target_port

Project URL   Documentation