Looking to see if there is a log (probably stats.log) that contains information to detect when a monitoring interface no longer is seeing traffic (e.g. tap dies; misconfigured monitor port).
How about a check on something like capture.kernel_packets not updating in a few seconds or so? Or any other stat that you’d expect to have something?
If the link/interface is down, you can also see this in suricata.log.
If it’s fully passive you could either check the stats Shivani mentioned or use the suricatasc unix socket command and check the iface-stats from time to time.
1 Like
Perfect – I then created a query using stats.kernel_packets and the delta over time. It works perfectly. Thank you.
additional info: The counter appears to reset. As long as you are taking a sampling from different timestamps, you should be able to calculate the delta; when delta=0, interface isn’t seeing traffic.