Add alert metrics for suricata input

[rogercoll]

Feature Request

Opening a feature request kicks off a discussion.

Proposal:

Suricata IDS is mostly used to trigger alerts based on network traffic, the proposal is to also parse those alerts in the telegraf suricata input.

Current behavior:

Currently Suricata Telegraf input is only able to parse metrics of event type "stats": https://suricata.readthedocs.io/en/latest/performance/statistics.html

Desired behavior:

Optional flag to enable alerts measurements in telegraf.

Input configuration:

[[inputs.suricata]]
  ...
  # Enable disable alerts measurement
  alerts = true

Instead of having one only field suricata, I would add multiple for every suricata event type: suricta_stats, suricata_alerts, etc for future event types.

Possible output:

suricata_stats,host=myhost,thread=FM#01 flow_mgr_rows_empty=0,flow_mgr_rows_checked=65536,flow_mgr_closed_pruned=0,flow_emerg_mode_over=0,flow_mgr_flows_timeout_inuse=0,flow_mgr_rows_skipped=65535,flow_mgr_bypassed_pruned=0,flow_mgr_flows_removed=0,flow_mgr_est_pruned=0,flow_mgr_flows_notimeout=1,flow_mgr_flows_checked=1,flow_mgr_rows_busy=0,flow_spare=10000,flow_mgr_rows_maxlen=1,flow_mgr_new_pruned=0,flow_emerg_mode_entered=0,flow_tcp_reuse=0,flow_mgr_flows_timeout=0 1568368562545197545
suricata_alerts,host=myhost action=allowed,category=Misc activity,gid=1,rev=0,severity=3,signature=LOCAL_TCP_DOS,signature_id=6 1568368562545174807

Use case:

Track any alert generated by Suricata IDS