[Oisf-users] Couple of questions regarding stats.log

Victor Julien victor at inliniac.net
Tue Jun 12 21:50:45 UTC 2012 

On 06/12/2012 09:48 PM, Brandon Ganem wrote:
> Peter,
> Looks to be rev 9f7588a (was the latest git at the time, about a week ago?)
> 
> output from suricata --build-info:
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:503) <Info>
> (SCPrintBuildInfo) -- This is Suricata version 1.3dev (rev 9f7588a)
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:576) <Info>
> (SCPrintBuildInfo) -- Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1
> PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1
> HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
> PCRE_JIT HAVE_NSS
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:590) <Info>
> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:592) <Info>
> (SCPrintBuildInfo) -- GCC version 4.5.2, C version 199901
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:598) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:601) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:604) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:607) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:610) <Info>
> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:614) <Info>
> (SCPrintBuildInfo) -- compiled with -fstack-protector
> [12882] 12/6/2012 -- 14:23:26 - (suricata.c:620) <Info>
> (SCPrintBuildInfo) -- compiled with _FORTIFY_SOURCE=2
> 
> 
> Victor:
> Honestly, its hard to say. I'll try to correlated the drops to less than
> expected logs.
> 
> I let it ran over the weekend. It seems to have an inverse relationship
> with the traffic I see, to the number of files logged. Sat and Sunday
> seem to log more consistently than weekdays. See graph below.Inline image 1
> 
> Maybe the box can't handle the traffic? Thanks for all the help.

If the box is overwhelmed you should be able to notice that in your
stats.log with high drop and reassembly gap counts. If you're not seeing
that, I suspect something else is happening.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list