add zeekcaptureloss to data to influxdb. rename broloss to zeekloss - https://github.com/Security-Onion-Solutions/securityonion/issues/1403

salt/grafana/dashboards/eval/eval.json

@@ -414,7 +414,7 @@
                 "type": "fill"
               }
             ],
-            "measurement": "brodrop",
+            "measurement": "zeekdrop",
             "orderByTime": "ASC",
             "policy": "default",
             "refId": "A",

salt/grafana/dashboards/sensor_nodes/sensor.json

@@ -413,7 +413,7 @@
               "type": "fill"
             }
           ],
-          "measurement": "brodrop",
+          "measurement": "zeekdrop",
           "orderByTime": "ASC",
           "policy": "default",
           "refId": "A",

salt/grafana/dashboards/standalone/standalone.json

@@ -4428,7 +4428,7 @@
               "type": "fill"
             }
           ],
-          "measurement": "brodrop",
+          "measurement": "zeekdrop",
           "orderByTime": "ASC",
           "policy": "default",
           "refId": "A",

salt/telegraf/etc/telegraf.conf

@@ -679,7 +679,8 @@
      "/scripts/stenoloss.sh",
      "/scripts/suriloss.sh",
      "/scripts/checkfiles.sh",
-     "/scripts/broloss.sh",
+     "/scripts/zeekloss.sh",
+     "/scripts/zeekcaptureloss.sh",
      "/scripts/oldpcap.sh"
    ]
    data_format = "influx"
@@ -691,7 +692,8 @@
      "/scripts/stenoloss.sh",
      "/scripts/suriloss.sh",
      "/scripts/checkfiles.sh",
-     "/scripts/broloss.sh",
+     "/scripts/zeekloss.sh",
+     "/scripts/zeekcaptureloss.sh",
      "/scripts/oldpcap.sh"
    ]
    data_format = "influx"
@@ -702,7 +704,8 @@
      "/scripts/stenoloss.sh",
      "/scripts/suriloss.sh",
      "/scripts/checkfiles.sh",
-     "/scripts/broloss.sh",
+     "/scripts/zeekloss.sh",
+     "/scripts/zeekcaptureloss.sh",
      "/scripts/oldpcap.sh",
      "/scripts/influxdbsize.sh"
    ]
@@ -713,7 +716,8 @@
     "/scripts/stenoloss.sh",
     "/scripts/suriloss.sh",
     "/scripts/checkfiles.sh",
-    "/scripts/broloss.sh",
+    "/scripts/zeekloss.sh",
+    "/scripts/zeekcaptureloss.sh",
     "/scripts/oldpcap.sh",
     "/scripts/helixeps.sh"
   ]

salt/telegraf/scripts/zeekcaptureloss.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+{% set WORKERS = salt['pillar.get']('sensor:zeekprocs', salt['pillar.get']('sensor:zeekpins') | length) %}
+ZEEKLOG=/host/nsm/zeek/logs/current/capture_loss.log
+if [ -f "$ZEEKLOG" ]; then
+  LOSS=$(tail -{{WORKERS}} $ZEEKLOG | awk -F, '{print $NF}' | sed 's/}//' | awk -F: '{LOSS += $2 / {{WORKERS}}} END { print "loss: " LOSS}')
+  echo "zeekcaptureloss loss=$LOSS"
+fi

salt/telegraf/scripts/zeekloss.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-
 ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
 declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
@@ -7,11 +6,11 @@ PASTDROP=${RESULT[9]}
 DROPPED=$((CURRENTDROP - PASTDROP))
 if [ $DROPPED == 0 ]; then
   LOSS=0
-  echo "brodrop drop=0"
+  echo "zeekdrop drop=0"
 else
   CURRENTPACKETS=${RESULT[5]}
   PASTPACKETS=${RESULT[11]}
   TOTAL=$((CURRENTPACKETS - PASTPACKETS))
   LOSS=$(echo $DROPPED $TOTAL / p | dc)
-  echo "brodrop drop=$LOSS"
+  echo "zeekdrop drop=$LOSS"
 fi