From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cd47Z0Y2Xz2ys2 for ; Thu, 02 Oct 2025 21:05:14 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cd47V56BYz2xQd for ; Thu, 02 Oct 2025 21:05:10 +0000 (UTC) Received: from layka.disroot.org (layka.disroot.org [178.21.23.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4cd47N5wXpz10b for ; Thu, 02 Oct 2025 21:05:04 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=QKXOFGnf; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1759439105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=iWFLL8Xw8nSs2CWcKmW1qzwyADqxcw9fQlEXHWBcT9E=; b=H2uo9lA41C0N+aWsm1RXWRAKoOlPWygUCzvicqbUb21Po44qu8KcXne9YsG8sxbSPqvqsu DWmARK/9W0jjbWjjscWJ6flv0qSA4qxUgcf0ofhqy604v57NH+J4oZCfOTpG8zSzHS/YIT iEe7koz6noKlB/kDg9pwx/6DKrd/qMCELbA1QgzaCEwnhVaedxHF1uxDizQuuQFO9wQ0F2 Psv7UFzoGYpiKy+hgNgWkPicavIZIB7nb29bbY4631flpecSWxX3jVXcT2o86mUk2g4fL+ KzBOuOoWY2Up1SOJjK371X7CeBxhfh3N7m5CxIv/Scq/KxBREgmeCPQ3WaIsNw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=QKXOFGnf; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1759439105; a=rsa-sha256; cv=none; b=dGnmLzQQW9wUEfEk4EBhh0s7YlzBEa4DE/idsN+mFCRP13Z+5hcU5+4Doue0q7mKDVQR+R 17wwIHxNfsmxS8OtR9+sud4wKjPPdx5QaPTsExtLSIM9GJcGfhwK/fa8aDdHWwLLos0e23 1oY8fjL8V3D6WIupTboR74yBKvC9Pv5dHsBWMXbYZ+KNb23Cq1noBmTEG62oc0MqtAf9k4 nhLv+B8mQtqoVLcxI0QczkpCwGlSxWwyt8yawt8xKBSMtCDam8QqmGkjXYbbgPoWHJtQyE MOxHQTR4d1SO8u1esp0gN+lFFk937g/SJLVGX1UDKSitqXrLXVHuTotWOwshaw== Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 23B8125C81; Thu, 2 Oct 2025 23:05:04 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id GDIk9be1cXbx; Thu, 2 Oct 2025 23:05:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1759439103; bh=iWFLL8Xw8nSs2CWcKmW1qzwyADqxcw9fQlEXHWBcT9E=; h=Subject:From:To:Cc:Date; b=QKXOFGnfn4MoNqRQtXZZKVVhRYHU/e8fKPe7ALdLuI3D5SmHZYEQa01KUc6daJZcb DDCqeD51nP897wIP8Zw6N78I4qXTt2yhdhWm5qR8PaQSl6+43ozD6OUvtmfOKQ0QzH iXi5KGtfF7lp88YykgHgm01d9C705T027I85r1UtDxRamjUqL5BmQsfpJl94kuPCIK Uog3LD8+nJE8RmS6fMfS+nqkj5c1ngwXCiXFPzLYSOEkOhSDIV1/dCC6ckObJlB6RF WJSqUpsiSjY4m8cfqkcxzgQADAc9x44dFc4DTbXtLRGqoaKjRWtrdibyefgAJGjaXG zHtGrQ9TS3v0w== Received: from Chojin.roevenslambrechts.be (Chojin.roevenslambrechts.be [192.168.0.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id AE78E3FAF67; Thu, 2 Oct 2025 23:04:55 +0200 (CEST) Message-ID: <56ad0ff847bb0b5b5808084321ac52efd63cd16f.camel@disroot.org> Subject: Zabbix support for suricata-reporter From: Robin Roevens To: Michael Tremer Cc: "IPFire: Development-List" Date: Thu, 02 Oct 2025 23:04:55 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 X-RoevensLambrechts-MailScanner-ID: AE78E3FAF67.A5604 X-RoevensLambrechts-MailScanner: Found to be clean X-RoevensLambrechts-MailScanner-From: robin.roevens@disroot.org X-RoevensLambrechts-MailScanner-Watermark: 1760043898.18761@SKtSy70v9GQ5V7L1WBnaMQ X-Rspamd-Queue-Id: 4cd47N5wXpz10b X-Spamd-Result: default: False [-5.74 / 11.00]; BAYES_HAM(-3.00)[100.00%]; R_DKIM_ALLOW(-1.66)[disroot.org:s=mail]; SPF_REPUTATION_SPAM(1.66)[0.55434734356923]; NEURAL_HAM(-1.00)[-1.000]; DKIM_REPUTATION(-0.93)[-0.93299234625449]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,reject]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_COUNT_THREE(0.00)[3]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; MID_RHS_MATCH_FROM(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1] X-Rspamd-Action: no action X-Rspamd-Server: mail01.haj.ipfire.org Hi Michael I saw there is a suricata-reporter in the upcoming CU. And I was wondering if I could add an additional reporter into it for sending alerts straight to Zabbix, next to syslog and email. I have already been experimenting with parsing fast.log using the zabbix_agentd, which seems to work quite well. But since there is now a reporter, it would be nice to have it support sending alerts to zabbix directly instead of zabbix separately monitoring the fast.log file. If that would be ok for you. There are 2 possible ways to do this: - using the zabbix_utils python library: https://blog.zabbix.com/python-zabbix-utils/27056/ - or using the zabbix_sender command utility that currently gets installed when installing zabbix_agentd I assume, using the python library will probably be the most performant option; But then I should also create a zabbix_utils python library pak-file? Both the python module and the commandline cli have the possibility to get zabbix server connection info from the zabbix_agentd configfile so config of the reporter would be something like: [zabbix] enabled =3D true zabbix_agentd_config =3D /etc/zabbix_agentd/zabbix_agentd.conf alert_item_key =3D ipfire.suricata.event.get Then the reporter can format the incoming suricata alert/event as json and send it to the configured alert_item_key on the zabbix server as configured in the zabbix_agentd.conf Is this something you are open to? Then I can try to create a patch for suricata-reporter. (where should I then submit it? Also on this list?) If not I will have to continue working on the fast.log parsing. And while on the topic of monitoring suricata; I would like to get some extra stats from it, which, for as far as I currently know, can be retrieved using the suricata unix-socket that is currently disabled by default on ipfire. Many seem to use a 'suricatasc' tool to query suricata using that socket, but that tool is not available on ipfire. Is it possible to have it on ipfire?, or should I start experimenting using socat?=20 And if succesful, is it then allowed for a future zabbix_agentd addon pak to enable that socket in the suricata config? If you dislike the idea of enabling and querying the socket, another possibility is having suricata dump stats in a seperate stats.log which I should then be able to parse using Zabbix. Before I start any implementations, what are your thoughts about all this ? Regards Robin --=20 Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.