SELKS | suricata | Nagios monitoring

You wanna monitor suricata via nagios?

On Suricata machine do:

1. Create a pipe and set permissions.

 # mknod -m 666 /var/pipes/suricata.pipe p

2. Let suricata write the fast log to this pipe tuning the /etc/suricata/selks[VERSION]-addin.yaml:

 outputs:
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: /var/pipes/suricata.pipe
      append: yes

3. Prepare and test Nagios NSCA client.
This client connects to the NSCA server. The NSCA server eats the transmitted command, translates them the external command syntax and writes this command to /var/nagios/rw/nagios.cmd

 echo -e "NAGIOSHOSTNAMEINNAGIOSCONFIG\tNAGIOSSERVICENAMEINNAGIOSCONFIG\t2\tTEST ALERT\n" | /usr/sbin/send_nsca -H nagios.server.local -c /etc/send_nsca.cfg

Attention! Commands are separated by TABs
Command should return something like “1 dataset transmitted”. If it prints “0 datasets” something went wrong on the receiving side. Maybe you made syntax errors.
If the server returns a CRC32 error you run into a version incopatibility between client and server versions. Do not worry, there is a poor mans solution i will describe here.

4. If your nsca client and server are incompatible do the following:
On server side select a free higher port and run nc (netcat) in a loop

 # while true; do nc -l -p 55667 >> /var/nagios/rw/nagios.cmd; done&

On client side run

 # echo -e "[$(date +%s)] PROCESS_SERVICE_CHECK_RESULT;NIDS;NIDservice;1;Your important warning message"  | nc -q 0 care.inbbradio.de 55667

4. Create a script milling the piped suricata log.

 #!/bin/bash
 while true; do 
    test -r "$1" || exit 1
    while read line; do 
      #PLACE EITHER YOUR ECHO TO NSCA CLIENT
      #OR
      #YOUR ECHO TO NETCAT HERE
    done < /var/pipes/suricata.pipe; 
done
exit 1