CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

add zeekcaptureloss to data to influxdb. rename broloss to zeekloss - https://github.com/Security-Onion-Solutions/securityonion/issues/1403

Browse Source
This commit is contained in:
m0duspwnens
2020-10-06 18:05:41 -04:00
parent 7d14c68d70
commit 73ce948d42
6 changed files with 20 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
salt/telegraf/etc/telegraf.conf
View File

@@ -679,7 +679,8 @@
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
"/scripts/broloss.sh",
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh"
]
data_format = "influx"
@@ -691,7 +692,8 @@
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
"/scripts/broloss.sh",
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh"
]
data_format = "influx"
@@ -702,7 +704,8 @@
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
"/scripts/broloss.sh",
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh",
"/scripts/influxdbsize.sh"
]
@@ -713,7 +716,8 @@
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
"/scripts/broloss.sh",
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
"/scripts/oldpcap.sh",
"/scripts/helixeps.sh"
]

7
salt/telegraf/scripts/zeekcaptureloss.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
{% set WORKERS = salt['pillar.get']('sensor:zeekprocs', salt['pillar.get']('sensor:zeekpins') | length) %}
ZEEKLOG=/host/nsm/zeek/logs/current/capture_loss.log
if [ -f "$ZEEKLOG" ]; then
LOSS=$(tail -{{WORKERS}} $ZEEKLOG | awk -F, '{print $NF}' | sed 's/}//' | awk -F: '{LOSS += $2 / {{WORKERS}}} END { print "loss: " LOSS}')
echo "zeekcaptureloss loss=$LOSS"
fi

5
salt/telegraf/scripts/broloss.sh → salt/telegraf/scripts/zeekloss.sh
View File

@@ -1,5 +1,4 @@
#!/bin/bash
ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
declare RESULT=($ZEEKLOG)
CURRENTDROP=${RESULT[3]}
@@ -7,11 +6,11 @@ PASTDROP=${RESULT[9]}
DROPPED=$((CURRENTDROP - PASTDROP))
if [ $DROPPED == 0 ]; then
LOSS=0
echo "brodrop drop=0"
echo "zeekdrop drop=0"
else
CURRENTPACKETS=${RESULT[5]}
PASTPACKETS=${RESULT[11]}
TOTAL=$((CURRENTPACKETS - PASTPACKETS))
LOSS=$(echo $DROPPED $TOTAL / p | dc)
echo "brodrop drop=$LOSS"
echo "zeekdrop drop=$LOSS"
fi