Bug #6732
closedeve/stats: parent interface object in stats contains VLAN-ID as keys
Description
The suricata_exporter translating from Suricata's dump-counters JSON output to Prometheus metrics expects all entries in the "threads" object to map thread names per interface to further JSON objects containing stats for individual threads.
"threads": {
"W#01-bond1": {
"capture": {
"kernel_packets": 27888,
"kernel_drops": 0,
"errors": 0,
With Suricata 7.0.3 (and possibly others), when a VLAN tagged interface is used, the parent interface contains a map where the children are the VLAN Tags:
{
"W#01-bond1": {
"30": {
"capture": {
"kernel_packets": 247478455,
"kernel_drops": 186199,
...
These inconsistent structure is problematic for a successful decoding in all the cases. A better approach would be to have this form:
{
"W#01-bond1.30": {
"capture": {
"kernel_packets": 247478455,
"kernel_drops": 186199,
...
as per the command ip output:
45: bond1.30@bond1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
A related issue exists in the suricata_exporter repo:
https://github.com/corelight/suricata_exporter/issues/12
Files
Updated by Jeff Lucovsky over 1 year ago
@vpiserchia Can you provide the entire dump-counters output?
Updated by Vito Piserchia over 1 year ago
- Subject changed from Suricata 7.0.3 parent interface object in stats contains VLAN-ID as keys to Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys
- Affected Versions 7.0.2 added
- Affected Versions deleted (
7.0.3)
Updated by Vito Piserchia over 1 year ago
Added {{dump-conters}} output
Updated by Arne Welzel over 1 year ago
Proposed fix: https://github.com/OISF/suricata/pull/10316
Updated by Victor Julien over 1 year ago
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Arne Welzel
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
Updated by Jeff Lucovsky over 1 year ago
- Status changed from In Progress to In Review
Updated by Jeff Lucovsky over 1 year ago
- Blocks Bug #6398: eve/stats: threads object in stats contains memcap_pressure scalars added
Updated by Jeff Lucovsky over 1 year ago
- Related to Bug #6907: Fix stats key (7.0.x backport) added
Updated by Jeff Lucovsky over 1 year ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine over 1 year ago
- Status changed from Resolved to Closed
Updated by Victor Julien 7 months ago
- Subject changed from Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys to eve/stats: parent interface object in stats contains VLAN-ID as keys