<div dir="ltr">Thank you for your reply. I have noticed that all goes well until I start barnyard2. It then loads the files once into the database and then the suricata files stop writing to fast and unified2 files.<div>
<br></div><div>The last info in suricata.log is :</div><div>
<p class="">28/10/2013 -- 18:50:43 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started.</p>
<p class="">28/10/2013 -- 18:53:10 - <Info> - More than 1/10th of packets have an invalid checksum, assuming checksum offloading is used (401/1000)</p></div><div><br></div><div>18:53 is when barnyard2 started and these are the timestamps on the files themselves.</div>
<div><br></div><div>
<p class="">-rw-r----- 1 root root 103196 Oct 28 18:53 unified2.alert.1383000643</p>
<p class="">-rw-r----- 1 root root 457260 Oct 28 18:53 fast.log</p>
<p class="">-rw-r--r-- 1 root root 10335595 Oct 28 18:55 stats.log</p><p class=""><br></p><p class="">So even if I want 1 hour, the timestamp of stats.log will keep on changing but fast.log and unified2 timestamps and sizes are not changing.</p>
<p class=""><br></p><p class="">Hope that helps.</p></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Oct 28, 2013 at 6:19 PM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 10/28/2013 06:47 PM, Olivier Doisneau wrote:<br>
> I am new to Suricata and not even sure if this is the right place for my question. But in short, I have a server with Suricata installed and running and Barnyard2 to push the logs to the mysql database. All is working fine but I am surprised to see the unified2 file is not growing, Barnyard2 is saying waiting for data but the stats.log is saying that it is moving along. If I stop and restart suricata, then there is data read by Barnyard2 and successfully pushed out. Is data being written to another location than the directory in yaml for the unified2 file? Am I missing something, I imagined that the logs would continue growing all day.<br>
<br>
</div>Is your fast.log enabled as well? Do you get alerts in there? Maybe<br>
there are just no alerts.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</font></span></blockquote></div><br></div>