I have a problem connecting Suricata with Telegraf, using unix_stream socket:
Host: Ubuntu 20.04
Docker: SURICATA_VERSION=6.0.6
Docker: INFLUXDB_VERSION=2.1.1
Docker: TELEGRAF_VERSION=1.21
Suricata confg:
- eve-log:
enabled: yes
filetype: unix_stream
filename: /var/run/suricata/suricata-command.socket
types:
- stats:
totals: no # stats for all threads merged together
threads: yes # per thread stats
Telegraf config:
# Suricata stats and alerts plugin
[[inputs.suricata]]
## Data sink for Suricata stats and alerts logs
# This is expected to be a filename of a
# unix socket to be created for listening.
source = "/tmp/suricata-command.socket"
# Delimiter for flattening field keys, e.g. subitem "alert" of "detect"
# becomes "detect_alert" when delimiter is "_".
delimiter = "_"
## Detect alert logs
# alerts = false
Error displayed in Suricata container log:
25/7/2022 -- 09:56:27 - <Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Write error on Unix socket "/var/run/suricata/suricata-command.socket": Broken pipe; reconnecting...
25/7/2022 -- 09:56:27 - <Notice> - Reconnected socket "/var/run/suricata/suricata-command.socket"
25/7/2022 -- 09:56:27 - <Info> - Command server: client message is too long, disconnect him.
The problem has been solved by the orderly deployment of the containers due to the creation of the socket between Suricata and Telegraf.
The proper deployment order would be InfluxDB, Telegraf, and Suricata.
Additionally, the permissions given to the socket should be considered.
All procedures followed have been documented in the following GitHub repository. I have also included the troubleshooting carried out.