<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1492290024782_76125"><span id="yui_3_16_0_ym19_1_1492290024782_76183">Thank you -- that was very helpful!</span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1492290024782_76126"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1492290024782_76130" style="display: block;">  <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1492290024782_76129"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1492290024782_76128"> <div dir="ltr" id="yui_3_16_0_ym19_1_1492290024782_76127"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1492290024782_76182"> <hr size="1" id="yui_3_16_0_ym19_1_1492290024782_76181"> <b><span style="font-weight:bold;">From:</span></b> Jason Ish <lists@ish.cx><br> <b><span style="font-weight: bold;">To:</span></b> oisf-users@lists.openinfosecfoundation.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Sunday, April 16, 2017 7:50 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Oisf-users] Sguil & Suricata Help<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1492290024782_76186"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1492290024782_76188">On 16/04/17 12:22 PM, Darius Fattahipour wrote:<div class="yqt9164040853" id="yqtfd11524"><br clear="none">> Hi,<br clear="none">> <br clear="none">> I've been struggling to get suricata alerts appear in Sguil.  I've tried <br clear="none">> many different types of configurations to no avail.  Here's the<br clear="none">> command I utilize:<br clear="none">> <br clear="none">> suricata -c /etc/nsm/pching-VM-eth1/suricata.yaml -r inside.tcpdump -F <br clear="none">> /etc/nsm/pching-VM-eth1/bpf-ids.conf<br clear="none">> <br clear="none">> The inside.tcpdump is a pcap file.  I've also attached my suricata.yaml.</div><br clear="none"><br clear="none">This is probably more of a Sguil issue than a Suricata issue.. But I <br clear="none">believe that Sguil requires the unified2 log file which you don't appear <br clear="none">to have enabled. Suricata won't get those events into Sguil for you <br clear="none">though, that is a function of Sguil.<br clear="none"><br clear="none">Jason<br clear="none">_______________________________________________<br clear="none">Suricata IDS Users mailing list: <a shape="rect" ymailto="mailto:oisf-users@openinfosecfoundation.org" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br clear="none">Site: <a shape="rect" href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org </a>| Support: <a shape="rect" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br clear="none">List: <a shape="rect" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><div class="yqt9164040853" id="yqtfd98797"><br clear="none"></div></div><br><br></div> </div> </div>  </div></div></body></html>