Suricata Metrics via Telegraf

This integration allows you to configure a Telegraf agent to send your metrics, in multiple formats, to Logit.io.

Telegraf is a flexible server agent equipped with plug-in support, useful for sending metrics and events from data sources like web servers, APIs, application logs, and cloud services.

To ship your metrics to Logit.io, we will integrate the relevant input and outputs.http plug-in into your Telegraf configuration file.

Choose the install for your operating system below to get started:

Windows

wget https://dl.influxdata.com/telegraf/releases/telegraf-1.19.2_windows_amd64.zip

Download and extract to: C:\Program Files\Logitio\telegraf\

Configuration file: C:\Program Files\Logitio\telegraf\

MacOS

brew install telegraf

Configuration file x86_64 Intel: /usr/local/etc/telegraf.conf Configuration file ARM (Apple Silicon): /opt/homebrew/etc/telegraf.conf

Ubuntu/Debian

wget -q https://repos.influxdata.com/influxdata-archive_compat.key
echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c influxdata-archive_compat.key' | sha256sum -c && cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null
echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list

sudo apt-get update
sudo apt-get install telegraf

Configuration file: /etc/telegraf/telegraf.conf

RedHat and CentOS

cat <<EOF | sudo tee /etc/yum.repos.d/influxdata.repo
[influxdata]
name = InfluxData Repository - Stable
baseurl = https://repos.influxdata.com/stable/\$basearch/main
enabled = 1
gpgcheck = 1
gpgkey = https://repos.influxdata.com/influxdata-archive_compat.key
EOF

sudo yum install telegraf

Configuration file: /etc/telegraf/telegraf.conf

SLES & openSUSE

zypper ar -f obs://devel:languages:go/ go
zypper in telegraf

Configuration file: /etc/telegraf/telegraf.conf

FreeBSD/PC-BSD

sudo pkg install telegraf

Configuration file: /etc/telegraf/telegraf.conf

Read more about how to configure data scraping and configuration options for Telegraf

The configuration file below is pre-configured to scrape the system metrics from your hosts, add the following code to the configuration file /etc/telegraf/telegraf.conf from the previous step.

# Suricata stats and alerts plugin
[[inputs.suricata]]
  ## Source
  ## Data sink for Suricata stats log. This is expected to be a filename of a
  ## unix socket to be created for listening.
  source = "/var/run/suricata-stats.sock"

  ## Delimiter
  ## Used for flattening field keys, e.g. subitem "alert" of "detect" becomes
  ## "detect_alert" when delimiter is "_".
  delimiter = "_"

  ## Metric version
  ## Version 1 only collects stats and optionally will look for alerts if
  ## the configuration setting alerts is set to true.
  ## Version 2 parses any event type message by default and produced metrics
  ## under a single metric name using a tag to differentiate between event
  ## types. The timestamp for the message is applied to the generated metric.
  ## Additional tags and fields are included as well.
  # version = "1"

  ## Alerts
  ## In metric version 1, only status is captured by default, alerts must be
  ## turned on with this configuration option. This option does not apply for
  ## metric version 2.
  # alerts = false

Read more about how to configure data scraping and configuration options for Suricata

Once you have generated the configuration file, you need to set up the output plug-in to allow Telegraf to transmit your data to Logit.io in Prometheus format. This can be accomplished by incorporating the following code into your configuration file:

[[outputs.http]]
  
  url = "https://<your-metrics-username>:<your-metrics-password>@<your-metrics-stack-id>-vm.logit.io:0/api/v1/write"
  data_format = "prometheusremotewrite"

  [outputs.http.headers]
    Content-Type = "application/x-protobuf"
    Content-Encoding = "snappy"

Windows

telegraf.exe --service start

MacOS

telegraf --config telegraf.conf

Linux

sudo service telegraf start

for systemd installations

systemctl start telegraf

Data should now have been sent to your Stack.

View my data

If you don't see metrics take a look at How to diagnose no data in Stack below for how to diagnose common issues.

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

To effectively monitor and analyze Bond metrics in a distributed environment, it's crucial to utilize a reliable and efficient metrics management solution. Telegraf, an open-source server agent for collecting metrics, is perfectly suited for this task, able to gather Bond metrics from a variety of sources, including operational Bond instances, databases, and other relevant applications.

Telegraf offers a comprehensive range of input plugins, permitting users to accumulate metrics from different sources such as CPU usage, memory utilization, network activity, and more. To store and scrutinize these collected metrics, organizations can implement Prometheus, an open-source monitoring and alerting tool known for its flexible querying language and robust graphical data visualization capabilities.

To transport Bond metrics from Telegraf to Prometheus, organizations should configure Telegraf to output metrics in the Prometheus format, and then set up Prometheus to scrape these metrics from the Telegraf server. This process involves establishing Telegraf to collect Bond metrics, rendering them in the Prometheus format, configuring Prometheus to retrieve these metrics from the Telegraf server, and then visually interpreting the data using Prometheus's dynamic querying and data visualization tools.

Once the metrics are successfully imported into Prometheus, further analysis and visualization can be carried out using Grafana. Grafana is an open-source platform celebrated for its monitoring and observability capabilities, and it is fully compatible with Prometheus. It enables users to build dynamic, interactive dashboards for a deeper understanding of the metrics data, offering a comprehensive view of performance trends and potential issues.

If you need any further assistance with shipping your log data to Logit.io we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.