Project

General

Profile

Actions
Copy link

Bug #6732

closed

Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys

Added by Vito Piserchia 9 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Arne Welzel
Target version:
8.0.0-beta1
Affected Versions:
7.0.2
Effort:
Difficulty:
Label:

Description

The suricata_exporter translating from Suricata's dump-counters JSON output to Prometheus metrics expects all entries in the "threads" object to map thread names per interface to further JSON objects containing stats for individual threads.

    "threads": {
      "W#01-bond1": {
        "capture": {
          "kernel_packets": 27888,
          "kernel_drops": 0,
          "errors": 0,

With Suricata 7.0.3 (and possibly others), when a VLAN tagged interface is used, the parent interface contains a map where the children are the VLAN Tags:

{
  "W#01-bond1": {
    "30": {
      "capture": {
        "kernel_packets": 247478455,
        "kernel_drops": 186199,
       ...

These inconsistent structure is problematic for a successful decoding in all the cases. A better approach would be to have this form:

{
  "W#01-bond1.30": {
    "capture": {
      "kernel_packets": 247478455,
      "kernel_drops": 186199,
     ...

as per the command ip output:

45: bond1.30@bond1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000

A related issue exists in the suricata_exporter repo:
https://github.com/corelight/suricata_exporter/issues/12

Files

dump-counters-tagged-interface.json (33.7 KB) dump-counters-tagged-interface.json Vito Piserchia, 02/05/2024 09:25 AM

Subtasks 1 (0 open1 closed)

Bug #6746: Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys (7.0.x backport)ClosedArne WelzelActions

Related issues 2 (0 open2 closed)

Related to Suricata - Bug #6907: Fix stats key (7.0.x backport)ClosedArne WelzelActions
Blocks Suricata - Bug #6398: Suricata 7.0.1 threads object in stats contains memcap_pressure scalarsClosedJeff LucovskyActions
Actions
Copy link
 #1

Updated by Jeff Lucovsky 9 months ago

@Vito Piserchia Can you provide the entire dump-counters output?

Actions
Copy link
 #2

Updated by Vito Piserchia 9 months ago

  • Subject changed from Suricata 7.0.3 parent interface object in stats contains VLAN-ID as keys to Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys
  • Affected Versions 7.0.2 added
  • Affected Versions deleted (7.0.3)
Actions
Copy link
 #3

Updated by Vito Piserchia 9 months ago

Added {{dump-conters}} output

Actions
Copy link
 #5

Updated by Victor Julien 9 months ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Arne Welzel
  • Target version changed from TBD to 8.0.0-beta1
  • Label Needs backport to 7.0 added
Actions
Copy link
 #6

Updated by OISF Ticketbot 9 months ago

  • Subtask #6746 added
Actions
Copy link
 #7

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #8

Updated by Jeff Lucovsky 9 months ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #9

Updated by Jeff Lucovsky 8 months ago

  • Blocks Bug #6398: Suricata 7.0.1 threads object in stats contains memcap_pressure scalars added
Actions
Copy link
 #10

Updated by Jeff Lucovsky 7 months ago

  • Related to Bug #6907: Fix stats key (7.0.x backport) added
Actions
Copy link
 #11

Updated by Jeff Lucovsky 7 months ago

  • Status changed from In Review to Resolved
Actions
Copy link
 #12

Updated by Philippe Antoine 7 months ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF