Following the steps to get Suricata to feed data via a unix socket (unix_stream) for Telegraf to read, I added eve-log config lines in suricata.yaml to send data to /var/run/suricata-stats(dot)sock. Did a test by cat /var/run/suricata-stats(dot)sock. There are lots of data coming out.
Then putting the input(dot)suricata lines in telegraf(dot)conf. After restarting telegraf service, I see this line:
2020-04-25T16:41:16Z E! [telegraf] Error running agent: listen unix /var/run/suricata-stats(dot)sock: bind: address already in use
For some reason telegraf could not read from the socket. Could you help?
Really couldn’t wait to be able to visualize data from suricata.
[https://www.influxdata.com/blog/network-security-monitoring-with-suricata-and-telegraf/?unapproved=39786&moderation-hash=271e27e30af096c16ccea2c27a88f6aa#comment-39786](http://Influxdata article on Suricata and Telegraf)
Correction for the instructions on page:
- sock location in /var/run/suricata-stats.sock. Notice part of the notes says /tmp/suricata-stats.sock
- input statement for telegraf.conf:
Notice original article says [[input.suricata]]