telegraf/plugins/inputs/iptables
Cameron Sparr 2eee1b84fb
break telegraf registry into separate package
this is for supporting external plugins.

external plugins will depend on a few telegraf interface types, as well
as a common telegraf registry.

this will allow external and internal plugins to both share this package
and make it easier to vendor/version the whole thing semantically, which
will make it easier to keep plugins supported across build and telegraf
versions.

see #1717
2017-02-06 11:16:29 +00:00
..
README.md Add lock option to the IPtables input plugin (#2201) 2017-02-01 14:37:18 +00:00
iptables.go break telegraf registry into separate package 2017-02-06 11:16:29 +00:00
iptables_nocompile.go Add new iptables plugin 2016-08-31 10:42:44 +01:00
iptables_test.go Add new iptables plugin 2016-08-31 10:42:44 +01:00

README.md

Iptables Plugin

The iptables plugin gathers packets and bytes counters for rules within a set of table and chain from the Linux's iptables firewall.

Rules are identified through associated comment. Rules without comment are ignored.

The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You have several options to grant telegraf to run iptables:

  • Run telegraf as root. This is strongly discouraged.
  • Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW. This is the simplest and recommended option.
  • Configure sudo to grant telegraf to run iptables. This is the most restrictive option, but require sudo setup.

Using systemd capabilities

You may run systemctl edit telegraf.service and add the following:

[Service]
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN

Since telegraf will fork a process to run iptables, AmbientCapabilities is required to transmit the capabilities bounding set to the forked process.

Using sudo

You may edit your sudo configuration with the following:

telegraf ALL=(root) NOPASSWD: /usr/bin/iptables -nvL *

Using IPtables lock feature

Defining multiple instances of this plugin in telegraf.conf can lead to concurrent IPtables access resulting in "ERROR in input [inputs.iptables]: exit status 4" messages in telegraf.log and missing metrics. Setting 'use_lock = true' in the plugin configuration will run IPtables with the '-w' switch, allowing a lock usage to prevent this error.

Configuration:

  # use sudo to run iptables
  use_sudo = false
  # run iptables with the lock option
  use_lock = false
  # defines the table to monitor:
  table = "filter"
  # defines the chains to monitor:
  chains = [ "INPUT" ]

Measurements & Fields:

  • iptables
    • pkts (integer, count)
    • bytes (integer, bytes)

Tags:

  • All measurements have the following tags:
    • table
    • chain
    • ruleid

The ruleid is the comment associated to the rule.

Example Output:

$ iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
100   1024   ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:22 /* ssh */
 42   2048   ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:80 /* httpd */
$ ./telegraf -config telegraf.conf -input-filter iptables -test
iptables,table=filter,chain=INPUT,ruleid=ssh pkts=100i,bytes=1024i 1453831884664956455
iptables,table=filter,chain=INPUT,ruleid=httpd pkts=42i,bytes=2048i 1453831884664956455