telegraftelegraf-inputs-pluginsuricatatelegraf-plugins

Suricata IDS/Telegraf error: Client message is too long, disconnect him


I have a problem connecting Suricata with Telegraf, using unix_stream socket:

Host: Ubuntu 20.04
Docker: SURICATA_VERSION=6.0.6
Docker: INFLUXDB_VERSION=2.1.1
Docker: TELEGRAF_VERSION=1.21

Suricata confg:

 - eve-log:
 enabled: yes
 filetype: unix_stream
 filename: /var/run/suricata/suricata-command.socket
 types:
   - stats:
       totals: no       # stats for all threads merged together
       threads: yes       # per thread stats

Telegraf config:

# Suricata stats and alerts plugin
[[inputs.suricata]]
  ## Data sink for Suricata stats and alerts logs
  # This is expected to be a filename of a
  # unix socket to be created for listening.
  source = "/tmp/suricata-command.socket"

  # Delimiter for flattening field keys, e.g. subitem "alert" of "detect"
  # becomes "detect_alert" when delimiter is "_".
  delimiter = "_"

  ## Detect alert logs
  # alerts = false

Error displayed in Suricata container log:

25/7/2022 -- 09:56:27 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Write error on Unix socket "/var/run/suricata/suricata-command.socket": Broken pipe; reconnecting...
25/7/2022 -- 09:56:27 - <Notice> - Reconnected socket "/var/run/suricata/suricata-command.socket"
25/7/2022 -- 09:56:27 - <Info> - Command server: client message is too long, disconnect him.

Solution

  • The problem has been solved by the orderly deployment of the containers due to the creation of the socket between Suricata and Telegraf.

    The proper deployment order would be InfluxDB, Telegraf, and Suricata.

    Additionally, the permissions given to the socket should be considered.

    All procedures followed have been documented in the following GitHub repository. I have also included the troubleshooting carried out.