Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thread metrics not collected in NFQueue runmode #17

Closed
rowecharles opened this issue May 29, 2024 · 5 comments · Fixed by #19
Closed

Thread metrics not collected in NFQueue runmode #17

rowecharles opened this issue May 29, 2024 · 5 comments · Fixed by #19

Comments

@rowecharles
Copy link

  • Suricata version: v7.0.1
  • Suricata runmode: nfqueue
  • Suricata Exporter version: v0.3.0

After switching Suricata to NFQueue runmode the thread metrics are no longer collected. There are warnings in the logs such as:

2024/05/28 22:52:19 WARN: Unhandled thread: W-NFQ#0
2024/05/28 22:52:19 WARN: Unhandled thread: W-NFQ#1
2024/05/28 22:52:19 WARN: Unhandled thread: W-NFQ#2
2024/05/28 22:52:19 WARN: Unhandled thread: W-NFQ#3

The thread metrics are available from Suricata however the thread names have prefix W-NFQ#:

$ suricatasc -c dump-counters | jq
...
    "threads": {
      "W-NFQ#0": {
        "ips": {
          "accepted": 25624776,
          "blocked": 1457,
...

The exporter expects worker threads to have a prefix W# which is not the case when in nfqueue runmode:

suricata_exporter/main.go

Line 756 in 998e7d9

if strings.HasPrefix(threadName, "W#") {

awelzel added a commit that referenced this issue Aug 5, 2024
@awelzel
Add support for RX threads.
f293546 
This should support NFQ with in autofp and workers mode. It also
adds very basic support for the ips packet metrics as

  suricata_ip_blocked_packets_total

Closes #17
@awelzel awelzel linked a pull request Aug 5, 2024 that will close this issue
Support NFQ in runmode autofp and workers #19
Merged
@awelzel awelzel closed this as completed in 6b85c1e Aug 5, 2024
@awelzel
Copy link
Collaborator

awelzel commented Aug 5, 2024
edited
Loading

@rowecharles / @Neurozone - could you check if v0.4.0-rc1 works for you? I've also added the ips section as individual packet counter metrics. Would be good to get some feedback if this works for you now (possibly attaching a dump-counters.json output with your expectations if not). Thanks!

@Neurozone
Copy link

Will check tomorrow :)

@rowecharles
Copy link
Author

@awelzel , I've validated on our setup and confirmed that all the thread metrics are now getting collected including the new IP packet counter metrics.

Thanks a lot for the fix and all the work on the project!

@awelzel
Copy link
Collaborator

awelzel commented Aug 21, 2024

Thanks, I've pushed 0.4.0 now.

@Neurozone
Copy link

I also confirm that I don't have theses warnings anymore with version 0.4.
But I have other warnings. I will open another issue for that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support NFQ in runmode autofp and workers corelight/suricata_exporter
3 participants
@awelzel @Neurozone @rowecharles