Suricata "stats" (EVE) not showing "sensor-name"

dabeave · August 4, 2020, 7:08pm

Hello!

I have Suricata 5.0.1 running across a bunch of sensors. To keep things straight, I have set each sensor with a unique “sensor-name” which shows up in the various Suricata EVE (alert/flow/etc). The one place the “sensor-name” (“host” key) does not show up is in the Suricata EVE “stats”. I get the full JSON of stats but it doesn’t have a “host” key. Is there something I’m missing?

Thank you!

ish · August 4, 2020, 10:44pm

I don’t think you’re missing anything. I just tried 5.0.1 from our 5.0.1 release tarball and in my config I have:

# Some logging module will use that name in event as identifier. The default
# value is the hostname
sensor-name: MEER

And I see a “host” and the bottom of each “stats” record:

    "ftp": {
      "memuse": 0,
      "memcap": 0
    }
  },
  "host": "MEER"
}

dabeave · August 5, 2020, 6:25pm

That the exact same thing I have. the ‘host’ key shows up in all logs. However, there is no ‘host’ key in my stats. Weird and it’s probably something I’m doing:

sensor-name: quadrant-soc-att-fiber

{“timestamp”:“2020-08-05T14:20:01.387846-0400”,“flow_id”:46634626050822,“in_iface”:“eth0”,“event_type”:“alert”,“src_ip”:“12.159.2.10”,"
dest_ip":“12.145.241.1”,“proto”:“ICMP”,“icmp_type”:8,“icmp_code”:0,“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:20000004,“rev”:1,
“signature”:“QUADRANT Ping Packet [ICMP]”,“category”:“Not Suspicious Traffic”,“severity”:3},“flow”:{“pkts_toserver”:1,“pkts_toclient”:0
,“bytes_toserver”:98,“bytes_toclient”:0,“start”:“2020-08-05T14:20:01.387846-0400”},“payload”:“UfgqXwAAAABZ6gUAAAAAAE9GVFdJTkstUElOR9raU
09GVFdJTkstUElOR9raU09GVFdJTkstUEk=”,“stream”:0,“packet”:“VDloDw7EADAYyy2NCABFAABU3y9AAEABTz4MnwIKDJHxAQgA/qwMJAABUfgqXwAAAABZ6gUAAAAA
AE9GVFdJTkstUElOR9raU09GVFdJTkstUElOR9raU09GVFdJTkstUEk=”,“packet_info”:{“linktype”:1},“host”:“quadrant-soc-att-fiber”}

tail -n 1000 stats.log | grep ‘host’

Shows no results.

I’ll keep poking.

dabeave · August 5, 2020, 7:50pm

Upgraded to Suricata 5.0.3. Same thing… .I’ll keep poking…

ish · August 5, 2020, 7:54pm

So I don’t think the hostname is logged in the default stats.log at all. Look for the stats events in the eve.json, those should have the “host” field.

dabeave · August 6, 2020, 2:31am

Hey Jason,

Sorry… That ‘stats.log’ is my EVE file. Here’s an example output of the it (just the ending)…

… http":3997,“ftp”:0,“smtp”:0,“tls”:64397,“ssh”:5,“imap”:0,“smb”:0,“dcerpc_tcp”:0,“dns_tcp”:7,“nfs_tcp”:0,“ntp”:3944,“ftp-data”:0,“tftp”:0,“ikev2”:0,“krb5_tcp”:0,“dhcp”:213,“snmp”:6,“sip”:26,“rdp”:0,“failed_tcp”:13,“dcerpc_udp”:0,“dns_udp”:51894,“nfs_udp”:0,“krb5_udp”:0,“failed_udp”:24871},“tx”:{“http”:16042,“ftp”:0,“smtp”:0,“tls”:0,“ssh”:0,“imap”:0,“smb”:0,“dcerpc_tcp”:0,“dns_tcp”:22,“nfs_tcp”:0,“ntp”:4588,“ftp-data”:0,“tftp”:0,“ikev2”:0,“krb5_tcp”:0,“dhcp”:278,“snmp”:9,“sip”:26,“rdp”:0,“dcerpc_udp”:0,“dns_udp”:105191,“nfs_udp”:0,“krb5_udp”:0},“expectations”:0},“flow_mgr”:{“closed_pruned”:68274,“new_pruned”:43700,“est_pruned”:52360,“bypassed_pruned”:0,“flows_checked”:26,“flows_notimeout”:13,“flows_timeout”:13,“flows_timeout_inuse”:3,“flows_removed”:10,“rows_checked”:65536,“rows_skipped”:65506,“rows_empty”:6,“rows_busy”:0,“rows_maxlen”:2},“http”:{“memuse”:19757,“memcap”:0},“ftp”:{“memuse”:0,“memcap”:0}}}

No “host” key present. However, in the alert EVE…

… “start”:“2020-08-05T22:30:01.741712-0400”},“payload”:“LWsrXwAAAACQUwsAAAAAAE9GVFdJTkstUElOR9raU09GVFdJTkstUElOR9raU09GVFdJTkstUEk=”,“stream”:0,“packet”:“VDloDw7EADAYyy2NCABFAABUCHpAAEABJfQMnwIKDJHxAQgAmbBYQAAFLWsrXwAAAACQUwsAAAAAAE9GVFdJTkstUElOR9raU09GVFdJTkstUElOR9raU09GVFdJTkstUEk=”,“packet_info”:{“linktype”:1},“host”:“MEER”}

dabeave · August 6, 2020, 1:03pm

Hey Jason,

I’m at a loss. The ‘host’ key is every where but stats. I’ve renamed the stats file to ‘stats.json’ in my config to be clear. I also posted my configuration at https://vistech.net/~champ/suricata-quadrant.yaml . Is there something I’m doing that is obviously wrong? I’ve tried this config with 5.0.1 and 5.0.3.

Edit: I also upload the stats.json output generated from this configuration to https://vistech.net/~champ/stats.json

Thank you.

ish · August 6, 2020, 2:55pm

Hi Champ,

Convert your stats log to look like your other eve loggers, that should fix it. Like:

  - eve-log: 
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: stats.json
      pcap-file: false
      community-id: false
      community-id-seed: 0
      types:
        - stats

there are slight differences in setup between how these work. In fact we plan to remove support for configuring them outside of an eve-log section.

dabeave · August 6, 2020, 2:57pm

Thank you sir! I’ll give that a try. I figured it was something on my side. Hope you are doing well Mr. Ish.

dabeave · August 10, 2020, 8:17pm

That did the trick. Thanks.

Topic		Replies	Views
Hostname field in events Help	6	605	August 10, 2022
Probe identification inside regular Eve-log Help events	1	325	July 21, 2023
Evebox/esimport - There does not appear to be and entry for sensor id/name Help	2	403	February 16, 2021
Eve.json only shows "event_type":"flow" Help	7	1595	October 22, 2020
Host field in json output unix_stream Help	2	72	July 5, 2024

Suricata "stats" (EVE) not showing "sensor-name"

Related topics