How to Monitor Suricata Using Monit and Send Email Alerts
Overview
Monit is a lightweight and easy-to-use monitoring tool that can be used to monitor processes like Suricata and ensure they are always running. In this guide, we will configure Monit to monitor Suricata, detect when it is down or using too many resources, and send email alerts when necessary.
Step 1: Install and Configure Monit
Install Monit
On Ubuntu/Debian systems:
sudo apt-get update
sudo apt-get install monit
On CentOS/RHEL systems:
sudo yum install monit
Step 2: Configure Monit to Monitor Suricata
Open Monit’s configuration file:
bashsudo nano /etc/monit/monitrcAdd a configuration block to monitor the Suricata process. This block will check if Suricata is running, restart it if necessary, and alert if there’s a problem.
Add the following lines to the
monitrcfile:bashcheck process suricata with pidfile /var/run/suricata.pid start program = "/usr/bin/systemctl start suricata" stop program = "/usr/bin/systemctl stop suricata" if cpu > 60% for 2 cycles then alert if memory > 500 MB for 2 cycles then alert if 5 restarts within 5 cycles then timeoutThis configuration will:
- Monitor the Suricata process.
- Restart Suricata if it crashes.
- Send email alerts if Suricata consumes too much CPU or memory.
Step 3: Configure Email Alerts in Monit
Monit needs to be configured to send emails when alerts are triggered.
In the
monitrcfile, configure the email server settings. Add the following lines:bashset mailserver smtp.example.com port 587 username "your-email@example.com" password "your-email-password" using tlsv1 # Use TLS for secure email delivery set alert your-email@example.com # Your email to receive alerts # Optional: Customize the email content set mail-format { from: monit@your-domain.com subject: Monit alert -- $SERVICE $EVENT message: $SERVICE $EVENT at $DATE on $HOST: $DESCRIPTION. }Replace:
smtp.example.comwith the SMTP server of your email provider (e.g., Gmail, SendGrid, or your own email server).your-email@example.comwith your actual email address for sending the email.your-email-passwordwith the password for the SMTP account.
Step 4: Enable and Start Monit
After configuring Monit, enable the service and start it.
Enable Monit to start at boot:
bashsudo systemctl enable monitStart the Monit service:
bashsudo systemctl start monitCheck the status of Monit to ensure it is running:
bashsudo systemctl status monitYou can also check Monit’s internal status with the command:
bashsudo monit status
Step 5: Test Email Alerts
Simulate a Suricata Failure: To test if Monit sends an email notification, stop the Suricata service manually and see if Monit detects it and sends an email alert.
Stop Suricata:
bashsudo systemctl stop suricataWait for Monit to detect the failure and check your email for the alert.
Check Logs: You can also check Monit logs to see if the alert was triggered:
bashtail -f /var/log/monit.log
Step 6: Access the Monit Web Interface
If you want to access Monit via the web interface, you can enable the web interface in the monitrc file:
Open the Monit configuration file:
bashsudo nano /etc/monit/monitrcUncomment or add the following lines to enable the web interface:
bashset httpd port 2812 and use address localhost # Only allow localhost allow localhost # Allow localhost access without authenticationAccess the Monit web interface by opening your browser and navigating to:
http://localhost:2812You can view Suricata’s status and other monitored services here.
Conclusion
By using Monit, you can easily monitor Suricata’s health and performance, and set up email alerts to notify you when Suricata is down, consuming too many resources, or needs to be restarted. Monit is a lightweight yet powerful tool that ensures your Suricata-based IDS/IPS system remains operational, providing you with peace of mind and quick recovery if issues arise.