net-mgmt/telegraf: Allow Run as Root

[mimugmail]

Closes #2239

[mimugmail]

Also closes #2475

[psychogun]

Could you also update the [[inputs.tail]] section also?

[[inputs.tail]]
  data_format = "json"
  files = ["/var/log/suricata/eve.json"]
  name_override = "suricata-alerts"
  tag_keys = ["flow_id","in_iface","event_type","src_ip","src_port","dest_ip","dest_port","proto"]
  json_string_fields = ["*"]
  json_time_key = "timestamp"
  json_time_format = "2006-01-02T15:04:05-0700" 

[mimugmail]

I'm still unsure about the tags as it generates a new series for each event (with the existing one)

[psychogun]

I am not sure of any of this, either :) I just know I got more metrics to sort by when I used that configuration with InfluxDB v2.

I think using suricata-alerts would be beneficial as it will not collide with the [[inputs.suricata]] built-in plugin in Telegraf.
https://github.com/influxdata/telegraf/blob/master/plugins/inputs/suricata/README.md

Regards to tag_keys:
https://github.com/influxdata/telegraf/tree/master/plugins/parsers/json

NOTE: All JSON numbers are converted to float fields. JSON strings and booleans are ignored unless specified in the tag_key or json_string_fields options.

Of the looks of it, you do not have any timestamp on your example events? #2239 (comment)

By default the current time will be used for all created metrics, to set the time using the JSON document you can use the json_time_key and json_time_format options together to set the time to a value in the parsed document.

The json_time_key option specifies the key containing the time value and json_time_format must be set to unix, unix_ms, unix_us, unix_ns, or the Go "reference time" which is defined to be the specific time: Mon Jan 2 15:04:05 MST 2006.

Down the line I also think the data_format should be "json_v2" (??) https://github.com/influxdata/telegraf/tree/master/plugins/parsers/json_v2

Using JSON Parser - Version 2 will make it possible to produce metrics for nested keys, such as alert.action etc.
https://github.com/influxdata/telegraf/blob/master/plugins/inputs/suricata/testdata/test3.json

I have not yet tried doing using json_v2 as data_format.

I have experimented with the built in Telegraf plugin and [[inputs.suricata] though:
https://github.com/opnsense/core/pull/5151

I am opting to use the [[inputs.suricata]] plugin instead, as it reports a lot of statistics, and future versions shipped with OPNsense should be able to report alerts as well.

Sorry for the wall of text :)

[mimugmail]

I only use influx v1 as v2 is not yet available for FreeBSD. I will take a look at the json_v2 syntax next week.
The way via suricata plugin is something for 22.1 when base is FreeBSD 13, I'd guess this should be way easiert to handle.

[fichtner]

Merged, thanks!