breakout common state - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/587

salt/telegraf/scripts/broloss.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
+declare RESULT=($ZEEKLOG)
+CURRENTDROP=${RESULT[3]}
+PASTDROP=${RESULT[9]}
+DROPPED=$(($CURRENTDROP - $PASTDROP))
+if [ $DROPPED == 0 ]; then
+  LOSS=0
+  echo "brodrop drop=0"
+else
+  CURRENTPACKETS=${RESULT[5]}
+  PASTPACKETS=${RESULT[11]}
+  TOTAL=$(($CURRENTPACKETS - $PASTPACKETS))
+  LOSS=$(echo $DROPPED $TOTAL / p | dc)
+  echo "brodrop drop=$LOSS"
+fi

salt/telegraf/scripts/checkfiles.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+FILES=$(ls -1x /host/nsm/faf/complete/ | wc -l)
+
+echo "faffiles files=$FILES"

salt/telegraf/scripts/helixeps.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+PREVCOUNTFILE='/tmp/helixevents.txt'
+EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
+
+if [ ! -z "$EVENTCOUNTCURRENT" ]; then
+
+  if [ -f "$PREVCOUNTFILE" ]; then
+    EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE`
+  else
+    echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+    exit 0
+  fi
+
+  echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+  EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30))
+  if [ "$EVENTS" -lt 0 ]; then
+    EVENTS=0
+  fi
+
+  echo "helixeps eps=${EVENTS%%.*}"
+
+fi
+
+exit 0

salt/telegraf/scripts/influxdbsize.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+INFLUXSIZE=$(du -s -B1 /host/nsm/influxdb | awk {'print $1'})
+
+echo "influxsize bytes=$INFLUXSIZE"

salt/telegraf/scripts/oldpcap.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Get the data
+OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'})
+DATE=$(date +%s)
+AGE=$(($DATE - $OLDPCAP))
+
+echo "pcapage seconds=$AGE"

salt/telegraf/scripts/redis.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}')
+PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}')
+
+echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED"

salt/telegraf/scripts/stenoloss.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Get the data
+DROP=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop | awk '{print $14}' | awk -F "=" '{print $2}')
+
+echo "stenodrop drop=$DROP"

salt/telegraf/scripts/suriloss.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4)
+CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l)
+
+if [ $CHECKIT == 2 ]; then
+  declare RESULT=($SURILOG)
+
+  CURRENTDROP=${RESULT[4]}
+  PASTDROP=${RESULT[14]}
+  DROPPED=$(($CURRENTDROP - $PASTDROP))
+  if [ $DROPPED == 0 ]; then
+    LOSS=0
+    echo "suridrop drop=0"
+  else
+    CURRENTPACKETS=${RESULT[9]}
+    PASTPACKETS=${RESULT[19]}
+    TOTAL=$(($CURRENTPACKETS - $PASTPACKETS))
+
+    LOSS=$(echo $DROPPED $TOTAL / p | dc)
+    echo "suridrop drop=$LOSS"
+  fi
+else
+  echo "suridrop drop=0"
+fi