[Oisf-users] Unified2 file not growing

Doisneau, Olivier odoisneau at payveris.com
Mon Oct 28 22:56:26 UTC 2013 

Thank you for your reply.  I have noticed that all goes well until I start
barnyard2.  It then loads the files once into the database and then the
suricata files stop writing to fast and unified2 files.

The last info in suricata.log is :

28/10/2013 -- 18:50:43 - <Info> - all 2 packet processing threads, 3
management threads initialized, engine started.

28/10/2013 -- 18:53:10 - <Info> - More than 1/10th of packets have an
invalid checksum, assuming checksum offloading is used (401/1000)

18:53 is when barnyard2 started and these are the timestamps on the files
themselves.

-rw-r----- 1 root root   103196 Oct 28 18:53 unified2.alert.1383000643

-rw-r----- 1 root root   457260 Oct 28 18:53 fast.log

-rw-r--r-- 1 root root 10335595 Oct 28 18:55 stats.log


So even if I want 1 hour, the timestamp of stats.log will keep on changing
but fast.log and unified2 timestamps and sizes are not changing.


Hope that helps.


On Mon, Oct 28, 2013 at 6:19 PM, Victor Julien <lists at inliniac.net> wrote:

> On 10/28/2013 06:47 PM, Olivier Doisneau wrote:
> > I am new to Suricata and not even sure if this is the right place for my
> question.  But in short, I have a server with Suricata installed and
> running and Barnyard2 to push the logs to the mysql database.  All is
> working fine but I am surprised to see the unified2 file is not growing,
> Barnyard2 is saying waiting for data but the stats.log is saying that it is
> moving along.  If I stop and restart suricata, then there is data read by
> Barnyard2 and successfully pushed out.  Is data being written to another
> location than the directory in yaml for the unified2 file?  Am I missing
> something, I imagined that the logs would continue growing all day.
>
> Is your fast.log enabled as well? Do you get alerts in there? Maybe
> there are just no alerts.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131028/4d63aed9/attachment-0002.html>

More information about the Oisf-users mailing list