Hi Michael I saw there is a suricata-reporter in the upcoming CU. And I was wondering if I could add an additional reporter into it for sending alerts straight to Zabbix, next to syslog and email. I have already been experimenting with parsing fast.log using the zabbix_agentd, which seems to work quite well. But since there is now a reporter, it would be nice to have it support sending alerts to zabbix directly instead of zabbix separately monitoring the fast.log file.
If that would be ok for you. There are 2 possible ways to do this: - using the zabbix_utils python library: https://blog.zabbix.com/python-zabbix-utils/27056/ - or using the zabbix_sender command utility that currently gets installed when installing zabbix_agentd I assume, using the python library will probably be the most performant option; But then I should also create a zabbix_utils python library pak-file? Both the python module and the commandline cli have the possibility to get zabbix server connection info from the zabbix_agentd configfile so config of the reporter would be something like: [zabbix] enabled = true zabbix_agentd_config = /etc/zabbix_agentd/zabbix_agentd.conf alert_item_key = ipfire.suricata.event.get Then the reporter can format the incoming suricata alert/event as json and send it to the configured alert_item_key on the zabbix server as configured in the zabbix_agentd.conf Is this something you are open to? Then I can try to create a patch for suricata-reporter. (where should I then submit it? Also on this list?) If not I will have to continue working on the fast.log parsing. And while on the topic of monitoring suricata; I would like to get some extra stats from it, which, for as far as I currently know, can be retrieved using the suricata unix-socket that is currently disabled by default on ipfire. Many seem to use a 'suricatasc' tool to query suricata using that socket, but that tool is not available on ipfire. Is it possible to have it on ipfire?, or should I start experimenting using socat? And if succesful, is it then allowed for a future zabbix_agentd addon pak to enable that socket in the suricata config? If you dislike the idea of enabling and querying the socket, another possibility is having suricata dump stats in a seperate stats.log which I should then be able to parse using Zabbix. Before I start any implementations, what are your thoughts about all this ? Regards Robin -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.
