<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:PMingLiU;
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head><body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">I am looking for just the errors. In Splunk it parses as such. I would like to know if I search for either error or ERR that I will get all errors.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> <b>engine</b>: { <a href="http://192.168.3.63:8000/en-US/app/search/search?earliest=-30d%40d&latest=now&q=search%20host%3D*%20source%3D%22%2Fvar%2Flog%2Fsuricata.log%22%20%20ERR&display.page.search.mode=verbose&dispatch.sample_ratio=1&sid=1500054577.4582">
[-]</a> <br>
<b>error</b>: SC_ERR_NO_RULES_LOADED <br>
<b>error_code</b>: 43 <br>
<b>message</b>: 1 rule files specified, but no rule was loaded at all! <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Charles DeVoe Jr.</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Manager of Engineering<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Multi-State Information Sharing and Analysis Center (MS-ISAC) <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">31 Tech Valley Drive<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">East Greenbush, NY 12061<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">charles.devoe@cisecurity.org<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">(518) 266-3494<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">7x24 Security Operations Center<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><a href="mailto:SOC@cisecurity.org"><span style="color:#0563C1">SOC@cisecurity.org</span></a> - 1-866-787-4722<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="237" height="55" id="_x0000_i1029" src="cid:image001.png@01D2FCA8.6C9DC570"></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">
</span><a href="https://www.facebook.com/CenterforIntSec"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1028" src="cid:image002.png@01D2FCA8.6C9DC570" alt="id:image002.png@01D2926D.D9CF2E90"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><a href="https://twitter.com/CISecurity"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1027" src="cid:image003.png@01D2FCA8.6C9DC570" alt="id:image003.png@01D2926D.D9CF2E90"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><a href="https://www.youtube.com/user/TheCISecurity"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1026" src="cid:image004.png@01D2FCA8.6C9DC570" alt="id:image004.png@01D2926D.D9CF2E90"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><a href="https://www.linkedin.com/company/the-center-for-internet-security"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="32" height="33" id="_x0000_i1025" src="cid:image005.png@01D2FCA8.6C9DC570" alt="id:image005.png@01D2926D.D9CF2E90"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Eric Leblond <eric@regit.org><br>
<b>Date: </b>Friday, July 14, 2017 at 1:30 PM<br>
<b>To: </b>Charles Devoe <Charles.Devoe@cisecurity.org>, "oisf-users@lists.openinfosecfoundation.org" <oisf-users@lists.openinfosecfoundation.org><br>
<b>Subject: </b>Re: [Oisf-users] Searching Suricata logs<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
Hi,<br>
<br>
On Fri, 2017-07-14 at 17:02 +0000, Charles Devoe wrote:<br>
> I am attempting to watch the log files from suricata that are in json<br>
> format. I specifically want to watch for errors. Can I assume all<br>
> error conditions will have the word “error”? <span style="font-family:"PMingLiU",serif"><br>
<br>
</span>If by error you mean Suricata error like engine error, you will not<span style="font-family:"PMingLiU",serif"><br>
</span>find them in the eve.json file but rather in suricata.log that can also<span style="font-family:"PMingLiU",serif"><br>
</span>be in json.<span style="font-family:"PMingLiU",serif"><br>
</span>If ever all you logs get to a database you can look for<span style="font-family:"PMingLiU",serif"><br>
</span>event_type:engine to find them.<br>
<br>
BR,<br>
-- <br>
Eric Leblond <eric@regit.org><br>
Blog: <a href="https://home.regit.org/">
https://home.regit.org/</a><br>
<br>
..... <br>
<br>
<o:p></o:p></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br /><br />. . . . .</body></html>