Suricata Stats in Zabbix 4 on Ubuntu 18.04 (python script error)

Question

Suricata Stats in Zabbix 4 on Ubuntu 18.04 (python script error)

psanwald opened this issue 5 years ago · comments

This project is a great idea! Thank you so much for sharing. Iam trying to get this running with zabbix 4. I had to delete the connection to the linux server template and some items from the template itself because of an internal zabbix issue (https://support.zabbix.com/browse/ZBX-11916). I didn't receive any latest data yet and when I call the python script (as it is called with the cronjob) I receive this error:

Traceback (most recent call last):
File "/etc/zabbix/scripts/suricata_stats.py", line 35, in
var, section, value = line.split('|')
ValueError: need more than 1 value to unpack

Do you have a hint for me on how to solve this?

Christophe Vandeplas · Answer 1 · Mon Jun 03 2019 17:11:06 GMT+0800 (China Standard Time)

It seems your line contains something unexpected. Suricata is a tool that evolves quite actively and this script hasn't been updated for a long time as I don't use this anymore in production.
To see what the line contains just do a print(line) after the for line in f_content:
Then run the script manually and you should see what's going on and which line fails splitting.

Some side questions:
Did you change the variables in the python script? things like

threads = 8                                     # set here the number of threads configured in suricata.yaml

Having an export from your stats.log could be valuable to troubleshoot.

Pascal Sanwald · Answer 2 · Mon Jun 03 2019 19:47:14 GMT+0800 (China Standard Time)

Thank you for answering. I did not change the variables in the python script.
But I checked the stats.log in /var/log/suricata:

Date: 5/28/2019 -- 12:29:35 (uptime: 0d, 00h 01m 00s)

Counter | TM Name | Value

capture.kernel_packets | Total | 3710
decoder.pkts | Total | 3710

I guess the script expects only the table content and not the rows in the table top.
I am not familiar with python, but changing the parsing part of the script as followed helped me, to get rid of the head:

...
for line in f_content:
if line.find("------") == -1:
if line.find("|"):
if line.find("Date:") == -1:
if line.find("TM Name") == -1:
#print(line)
var, section, value = line.split('|')
...

Now the script seem to return valid data like:

suricata[decoder.udp] 91

suricata[decoder.avg_pkt_size] 262

suricata[tcp.memuse] 2293760

suricata[flow_mgr.rows_maxlen] 3
...

.. and an error:

zabbix_sender: not found

Which is strange because zabbix-agent is installed on that machine.
After google this I found out, zabbix_sender is no longer part of zabbix_agent. So I installed zabbix_sender:
sudo apt-get install zabbix-sender

Now all error messages are gone. But the Zabbix Template / Trapper does not receive data.
So, I call the script in verbose mode:
python /etc/zabbix/scripts/suricata.py -z -v
The bottom line shows, that all 43 attempts fail:
['info from server: "processed: 0; failed: 43; total: 43; seconds spent: 0.000667"\n', 'sent: 43; skipped: 0; total: 43\n']
Do you have an idea, how I can find out, why they fail?