You wanna monitor suricata via nagios?
On Suricata machine do:
1. Create a pipe and set permissions.
# mknod -m 666 /var/pipes/suricata.pipe p
2. Let suricata write the fast log to this pipe tuning the /etc/suricata/selks[VERSION]-addin.yaml:
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: /var/pipes/suricata.pipe
append: yes
3. Prepare and test Nagios NSCA client.
This client connects to the NSCA server. The NSCA server eats the transmitted command, translates them the external command syntax and writes this command to /var/nagios/rw/nagios.cmd
echo -e "NAGIOSHOSTNAMEINNAGIOSCONFIG\tNAGIOSSERVICENAMEINNAGIOSCONFIG\t2\tTEST ALERT\n" | /usr/sbin/send_nsca -H nagios.server.local -c /etc/send_nsca.cfg
Attention! Commands are separated by TABs
Command should return something like “1 dataset transmitted”. If it prints “0 datasets” something went wrong on the receiving side. Maybe you made syntax errors.
If the server returns a CRC32 error you run into a version incopatibility between client and server versions. Do not worry, there is a poor mans solution i will describe here.
4. If your nsca client and server are incompatible do the following:
On server side select a free higher port and run nc (netcat) in a loop
# while true; do nc -l -p 55667 >> /var/nagios/rw/nagios.cmd; done&
On client side run
# echo -e "[$(date +%s)] PROCESS_SERVICE_CHECK_RESULT;<NAGIOSCONFIG_SERVER_NAME>;<NAGIOSCONFIG_SERVICE_NAME>;<RESULT_0_or_1_or_2>;<YOUR_IMPORTANT_MESSAGE>" | nc -q 0 nagios.MYDOMAIN.MYTLD <PORT>
ATTENTION(!): PROCESS_SERVICE_CHECK_RESULT is a fixed string not a variable.
4. Create a script milling the piped suricata log.
#!/bin/bash
while true; do
test -r "$1" || exit 1
while read line; do
#PLACE EITHER YOUR ECHO TO NSCA CLIENT
#OR
#YOUR ECHO TO NETCAT HERE
done < /var/pipes/suricata.pipe;
done
exit 1
bytes and bones 