[Feature Request] How can every Suricata interfaced be reached with only one click with the widget?

Bob.Dig

I really like the Suricata widget but it only shows alerts from one interface. How can every interfaced be monitored with the widget? Or better to get one Widget per interface, so by clicking the widget, the right alerts are activated.

NogBadTheBad

@Bob-Dig You mean being able to use the same widget multiple times like the interface one on the main page ?

So you can see the last 5 alerts on the WAN interface and the last 5 on the LAN interface ?

Bob.Dig

@NogBadTheBad Yes and by clicking on it, it should open the associated interface alerts.

michmoor

@NogBadTheBad I see you got a lot of interfaces set up for Suricata. What system are you running?
@Bob-Dig Didnt mean to hijack the thread. Just saw something and was super curious about it.

NogBadTheBad

@michmoor its on the device in my signature at the bottom, they’re all vlans on one interface that’s set to promiscuous mode apart from the instance running on my wan interface.

bmeeks

@Bob-Dig said in How can every Suricata interfaced be monitored with the widget?:

I really like the Suricata widget but it only shows alerts from one interface.

It should be showing alerts from ALL configured interfaces. It reads the currently active alerts.log file for each configured interface into an array, then sorts that array by the timestamp. It displays the most recent "x" alerts where "x" is configurable by the user.

If one particular interface "dominates" by having the majority of alerts, and those happen to be the most recent, then it may appear that only that single interface is being displayed.

The widget is just a point-in-time quick snapshot for reference. The intention is for the admin to look on the ALERTS tab regularly for details. There is not really enough physical space to make the widget a duplicate of the ALERTS tab.

Bob.Dig

@bmeeks said in How can every Suricata interfaced be monitored with the widget?:

The widget is just a point-in-time quick snapshot for reference. The intention is for the admin to look on the ALERTS tab regularly for details. There is not really enough physical space to make the widget a duplicate of the ALERTS tab.

I described it wrong for sure (I changed the heading now). The problem for me, if I click on the widget, it is always bringing me to the oldest interface, which is not the one with the actual alerts in my case.

The solution could be to have a "unified" alerts page for all the interfaces, so that I don't have to change the interfaces to manage the alerts. Or to have a configurable widget that allows me to set it up per interface (which also links to that interface alerts) and then have many of them.

Bob.Dig

@michmoor said in How can every Suricata interfaced be monitored with the widget?:

@NogBadTheBad I see you got a lot of interfaces set up for Suricata. What system are you running?

That is only the interface widget, not Suricata.

NogBadTheBad

@Bob-Dig It was an example of how it could been done.