Telegraf stats and multiple suricata instances
-
Hi
I have 2 suricata instances running for 2 interfaces and both are configured to write to the same socket file that is parsed by telegraf.
The issue I have is that I only get the stats from the one suricata instance, is there a way/trick to achieve this ?
-
I don't think you can do this, at least not without having each Suricata instance connecting to a different socket. And I'm not sure the single telegraf instance supports two instances of the plugin running on different sockets. Perhaps it does, though. I'm not familiar with the package.
But two Suricata instances trying to communicate with the same socket are bound to "collide" and cause problems. I think the first Suricata instance to come up and open the socket connection is then going to hold the lock and prevent the second Suricata instance from connecting.
-
yeah that is exactly what happens, the first suricata instance to start is the one showing the stats, unfortunately the suricata plugin does not support multiple sources so the only way is to start another telegraf instance not managed by pFsense