In this post, we will onboard a Suricata Sensor on Zabbix so we can basic metrics for our sensor. The metrics will be collected through suricatasc command. Also we will create a Zabbix discovery service so we can detect automatically the monitoring interfaces and create the items for our sensor.

Firstly we will add the custom userparameters for Zabbix agent in /etc/zabbix/zabbix_agent2.d/Userparameters.conf file

UserParameter=suricata.stats[*],suricatasc -c "iface-stat $1" /var/run/suricata/suricata-command.socket
UserParameter=suricata.iface-list,suricatasc -c "iface-list" /var/run/suricata/suricata-command.socket | convert2zabbix

Be aware that putting the full path of the UNIX socket in the suricatasc command is mandatory, otherwise, the “permission denied” will be raised. The next lines are the convert2zabbix python program that converts the interface list in Zabbix compatible form. This script will be used by the Zabbix discovery service to detect in the creation phase the monitoring interfaces and add the appropriate Zabbix items.

#!/usr/bin/python3
import json
import sys


f = sys.stdin
data = json.load(f)
print("[")
lista = data["message"]["ifaces"]
for i,interface in enumerate(lista):
      if i:
         print(",")
      print("{\"{#INTERFACE}\":\""+interface+"\"}",end="")
print("\n]")

Save the Python script in one of the Linux environment variable PATH folders (or call it with full path) and give execution permissions (or call the script with python3 in front). Add Zabbix user in Suricata group to have permissions at the Suricata socket. Example commands can be found in the next lines.

chmod +x /usr/local/bin/convert2zabbix
usermod -a -G suricata zabbix
newgroup suricata
firewall-cmd --zone=public --add-port=10050/tcp --permanent
firewall-cmd --reload 
systemctl restart zabbix-agent2

If everything is configured correctly you can run the command for the Zabbix Server to check that results are returned.

root@zabbixserver:~# zabbix_get -s <ip> -k suricata.iface-list
[
{"{#INTERFACE}":"ens224"},
{"{#INTERFACE}":"ens256"}
]

root@zabbixserver:~# zabbix_get -s <ip> -k suricata.stats[ens224]
{"message": {"pkts": 23772247778, "invalid-checksums": 0, "drop": 0, "bypassed": 0}, "return": "OK"}

Import the Zabbix template that can be found at https://github.com/chrisanag1985/suricata_template/blob/main/suricata_template.json and link the Zabbix host with this template and execute the discovery service for Suricata, then check if new items created under the host. The items are dependent items to avoid making many requests from the Zabbix Server.

All the configuration files and scripts can be found at https://github.com/chrisanag1985/suricata_template