CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1477 from Security-Onion-Solutions/issue/1403

Browse Source 
Issue/1403
This commit is contained in:
Josh Patterson
2020-10-07 17:47:21 -04:00
committed by GitHub
parent 7befff3baa be7167d99b
commit 0a982dec95
6 changed files with 6388 additions and 5549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8763
salt/grafana/dashboards/eval/eval.json
View File

File diff suppressed because it is too large Load Diff

2999
salt/grafana/dashboards/sensor_nodes/sensor.json
View File

File diff suppressed because it is too large Load Diff

139
salt/grafana/dashboards/standalone/standalone.json
View File

@@ -4231,6 +4231,139 @@
"alignLevel": null "alignLevel": null
} }
}, },
{
"aliasColors": {},
"bars": true,
"dashLength": 10,
"dashes": false,
"datasource": "InfluxDB",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 5,
"w": 4,
"x": 16,
"y": 25
},
"hiddenSeries": false,
"id": 71,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": false,
"linewidth": 1,
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"percentage": false,
"pointradius": 2,
"points": true,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"groupBy": [
{
"params": [
"$__interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "zeekcaptureloss",
"orderByTime": "ASC",
"policy": "autogen",
"refId": "A",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"loss"
],
"type": "field"
},
{
"params": [],
"type": "mean"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
}
]
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - Zeek Capture Loss",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"$$hashKey": "object:198",
"decimals": 1,
"format": "percent",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"$$hashKey": "object:199",
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{ {
"aliasColors": {}, "aliasColors": {},
"bars": false, "bars": false,
@@ -4428,7 +4561,7 @@
"type": "fill" "type": "fill"
} }
], ],
"measurement": "brodrop", "measurement": "zeekdrop",
"orderByTime": "ASC", "orderByTime": "ASC",
"policy": "default", "policy": "default",
"refId": "A", "refId": "A",
@@ -4867,8 +5000,8 @@
"fillGradient": 0, "fillGradient": 0,
"gridPos": { "gridPos": {
"h": 5, "h": 5,
"w": 8, "w": 4,
"x": 16, "x": 20,
"y": 30 "y": 30
}, },
"hiddenSeries": false, "hiddenSeries": false,

12
salt/telegraf/etc/telegraf.conf
View File

@@ -679,7 +679,8 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
"/scripts/broloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh" "/scripts/oldpcap.sh"
] ]
data_format = "influx" data_format = "influx"
@@ -691,7 +692,8 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
"/scripts/broloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh" "/scripts/oldpcap.sh"
] ]
data_format = "influx" data_format = "influx"
@@ -702,7 +704,8 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
"/scripts/broloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh", "/scripts/oldpcap.sh",
"/scripts/influxdbsize.sh" "/scripts/influxdbsize.sh"
] ]
@@ -713,7 +716,8 @@
"/scripts/stenoloss.sh", "/scripts/stenoloss.sh",
"/scripts/suriloss.sh", "/scripts/suriloss.sh",
"/scripts/checkfiles.sh", "/scripts/checkfiles.sh",
"/scripts/broloss.sh", "/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh", "/scripts/oldpcap.sh",
"/scripts/helixeps.sh" "/scripts/helixeps.sh"
] ]

16
salt/telegraf/scripts/zeekcaptureloss.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp
{%- set WORKERS = salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) %}
ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
LASTCAPTURELOSSLOG=/var/log/telegraf/lastcaptureloss.txt
if [ -f "$ZEEKLOG" ]; then
CURRENTTS=$(tail -1 $ZEEKLOG | jq .ts | sed 's/"//g')
if [ -f "$LASTCAPTURELOSSLOG" ]; then
LASTTS=$(cat $LASTCAPTURELOSSLOG)
if [[ "$LASTTS" != "$CURRENTTS" ]]; then
LOSS=$(tail -{{WORKERS}} $ZEEKLOG | awk -F, '{print $NF}' | sed 's/}//' | awk -F: '{LOSS += $2 / {{WORKERS}}} END { print LOSS}')
echo "zeekcaptureloss loss=$LOSS"
fi
fi
echo "$CURRENTTS" > $LASTCAPTURELOSSLOG
fi

6
salt/telegraf/scripts/broloss.sh → salt/telegraf/scripts/zeekloss.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage
ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2) ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
declare RESULT=($ZEEKLOG) declare RESULT=($ZEEKLOG)
CURRENTDROP=${RESULT[3]} CURRENTDROP=${RESULT[3]}
@@ -7,11 +7,11 @@ PASTDROP=${RESULT[9]}
DROPPED=$((CURRENTDROP - PASTDROP)) DROPPED=$((CURRENTDROP - PASTDROP))
if [ $DROPPED == 0 ]; then if [ $DROPPED == 0 ]; then
LOSS=0 LOSS=0
echo "brodrop drop=0" echo "zeekdrop drop=0"
else else
CURRENTPACKETS=${RESULT[5]} CURRENTPACKETS=${RESULT[5]}
PASTPACKETS=${RESULT[11]} PASTPACKETS=${RESULT[11]}
TOTAL=$((CURRENTPACKETS - PASTPACKETS)) TOTAL=$((CURRENTPACKETS - PASTPACKETS))
LOSS=$(echo $DROPPED $TOTAL / p | dc) LOSS=$(echo $DROPPED $TOTAL / p | dc)
echo "brodrop drop=$LOSS" echo "zeekdrop drop=$LOSS"
fi fi