Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Telegraf stats and multiple suricata instances

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 363 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      verizu
      last edited by

      Hi

      I have 2 suricata instances running for 2 interfaces and both are configured to write to the same socket file that is parsed by telegraf.

      The issue I have is that I only get the stats from the one suricata instance, is there a way/trick to achieve this ?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        I don't think you can do this, at least not without having each Suricata instance connecting to a different socket. And I'm not sure the single telegraf instance supports two instances of the plugin running on different sockets. Perhaps it does, though. I'm not familiar with the package.

        But two Suricata instances trying to communicate with the same socket are bound to "collide" and cause problems. I think the first Suricata instance to come up and open the socket connection is then going to hold the lock and prevent the second Suricata instance from connecting.

        1 Reply Last reply Reply Quote 0
        • V
          verizu
          last edited by verizu

          yeah that is exactly what happens, the first suricata instance to start is the one showing the stats, unfortunately the suricata plugin does not support multiple sources so the only way is to start another telegraf instance not managed by pFsense

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.