[Oisf-users] Unified2 file not growing

Victor Julien lists at inliniac.net
Wed Oct 30 12:59:51 UTC 2013 

On 10/28/2013 11:56 PM, Doisneau, Olivier wrote:
> Thank you for your reply.  I have noticed that all goes well until I
> start barnyard2.  It then loads the files once into the database and
> then the suricata files stop writing to fast and unified2 files.
> 
> The last info in suricata.log is :
> 
> 28/10/2013 -- 18:50:43 - <Info> - all 2 packet processing threads, 3
> management threads initialized, engine started.
> 
> 28/10/2013 -- 18:53:10 - <Info> - More than 1/10th of packets have an
> invalid checksum, assuming checksum offloading is used (401/1000)
> 
> 
> 18:53 is when barnyard2 started and these are the timestamps on the
> files themselves.
> 
> -rw-r----- 1 root root   103196 Oct 28 18:53 unified2.alert.1383000643
> 
> -rw-r----- 1 root root   457260 Oct 28 18:53 fast.log
> 
> -rw-r--r-- 1 root root 10335595 Oct 28 18:55 stats.log
> 
> 
> So even if I want 1 hour, the timestamp of stats.log will keep on
> changing but fast.log and unified2 timestamps and sizes are not changing.
> 
> 
> Hope that helps.
> 

It would be interesting to see the last record of the stats.log, maybe
it gives us some clues.

Cheers,
Victor

> 
> On Mon, Oct 28, 2013 at 6:19 PM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 10/28/2013 06:47 PM, Olivier Doisneau wrote:
>     > I am new to Suricata and not even sure if this is the right place
>     for my question.  But in short, I have a server with Suricata
>     installed and running and Barnyard2 to push the logs to the mysql
>     database.  All is working fine but I am surprised to see the
>     unified2 file is not growing, Barnyard2 is saying waiting for data
>     but the stats.log is saying that it is moving along.  If I stop and
>     restart suricata, then there is data read by Barnyard2 and
>     successfully pushed out.  Is data being written to another location
>     than the directory in yaml for the unified2 file?  Am I missing
>     something, I imagined that the logs would continue growing all day.
> 
>     Is your fast.log enabled as well? Do you get alerts in there? Maybe
>     there are just no alerts.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     OISF: http://www.openinfosecfoundation.org/
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list