[Oisf-users] fast.log empty

Fri Jan 25 03:33:33 UTC 2013

Hi, to all.

I recently build Suricata 1.4 from source using CentOS5.9.
and as in the tutorial, Adding Your Rules, I added local.rules
but after several opening pages in the server still fast.log contains
zero line.

here are parts of my .yaml file I assume related to the issue.

 - fast:
      enabled: yes
      filename: fast.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: no
      filename: unified2.alert

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      #limit: 32mb

  # a line based log of HTTP requests (no alerts)
  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      #extended: yes     # enable this for extended logging information
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
#######################################################

and here's the output in the Suricata initiation

25/1/2013 -- 12:11:20 - <Info> - CPUs/cores online: 1
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - max_files is deprecated. Please use max-files on line 108.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - use_stream_depth is deprecated. Please use use-stream-depth on line 113.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - log_packet_content is deprecated. Please use log-packet-content on line 128.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - log_packet_header is deprecated. Please use log-packet-header on line 129.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_src_groups is deprecated. Please use toclient-src-groups on line 278.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_dst_groups is deprecated. Please use toclient-dst-groups on line 279.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_sp_groups is deprecated. Please use toclient-sp-groups on line 280.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toclient_dp_groups is deprecated. Please use toclient-dp-groups on line 281.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toserver_src_groups is deprecated. Please use toserver-src-groups on line 282.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - toserver_dst_groups is deprecated. Please use toserver-dst-groups on line 283.
25/1/2013 -- 12:11:20 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - not showing more parameter name warnings.
25/1/2013 -- 12:11:20 - <Info> - Found an MTU of 1500 for 'venet0'
25/1/2013 -- 12:11:20 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56
25/1/2013 -- 12:11:20 - <Info> - preallocated 1000 defrag trackers of size 152
25/1/2013 -- 12:11:20 - <Info> - defrag memory usage: 381376 bytes, maximum: 16777216
25/1/2013 -- 12:11:20 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
25/1/2013 -- 12:11:20 - <Info> - preallocated 5000 packets. Total memory 21300000
25/1/2013 -- 12:11:20 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
25/1/2013 -- 12:11:20 - <Info> - preallocated 1000 hosts of size 128
25/1/2013 -- 12:11:20 - <Info> - host memory usage: 357376 bytes, maximum: 16777216
25/1/2013 -- 12:11:20 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
25/1/2013 -- 12:11:20 - <Info> - preallocated 10000 flows of size 280
25/1/2013 -- 12:11:20 - <Info> - flow memory usage: 6470016 bytes, maximum: 33554432
25/1/2013 -- 12:11:20 - <Info> - IP reputation disabled
25/1/2013 -- 12:11:20 - <Info> - Delayed detect disabled
25/1/2013 -- 12:11:22 - <Info> - 36 rule files processed. 6224 rules successfully loaded, 0 rules failed
25/1/2013 -- 12:11:24 - <Info> - 6232 signatures processed. 226 are IP-only rules, 2933 are inspecting packet payload, 3991 inspect application layer, 0 are decoder event only
25/1/2013 -- 12:11:24 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
25/1/2013 -- 12:11:24 - <Info> - building signature grouping structure, stage 2: building source address list... complete
25/1/2013 -- 12:11:25 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
25/1/2013 -- 12:11:26 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": No such file or directory
25/1/2013 -- 12:11:26 - <Info> - Core dump size set to unlimited.
25/1/2013 -- 12:11:26 - <Info> - fast output device (regular) initialized: fast.log
25/1/2013 -- 12:11:26 - <Info> - http-log output device (regular) initialized: http.log
25/1/2013 -- 12:11:26 - <Info> - Using 1 live device(s).
25/1/2013 -- 12:11:26 - <Info> - Unable to find pcap config for interface venet0, using default value
25/1/2013 -- 12:11:26 - <Info> - using interface venet0
25/1/2013 -- 12:11:26 - <Info> - RunModeIdsPcapAutoFp initialised
25/1/2013 -- 12:11:26 - <Info> - stream "max-sessions": 262144
25/1/2013 -- 12:11:26 - <Info> - stream "prealloc-sessions": 32768
25/1/2013 -- 12:11:26 - <Info> - stream "memcap": 33554432
25/1/2013 -- 12:11:26 - <Info> - stream "midstream" session pickups: disabled
25/1/2013 -- 12:11:26 - <Info> - stream "async-oneside": disabled
25/1/2013 -- 12:11:26 - <Info> - stream "checksum-validation": enabled
25/1/2013 -- 12:11:26 - <Info> - stream."inline": disabled
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "memcap": 67108864
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "depth": 1048576
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "toserver-chunk-size": 2560
25/1/2013 -- 12:11:26 - <Info> - stream.reassembly "toclient-chunk-size": 2560
25/1/2013 -- 12:11:26 - <Info> - all 2 packet processing threads, 1 management threads initialized, engine started.

#########################################
while fast.log is empty, http.log is working well with outputting proper logs.
So, I assume there would be no issue in file privileges.

any help appreciated.
thanks in advance.
Jutaro