[Oisf-users] Unified2 file not growing
Doisneau, Olivier
odoisneau at payveris.com
Wed Oct 30 13:42:45 UTC 2013
I was told that this was actually normal. That the unified2 alert log will
only write if there is an actual alert vs stats.log and fast.log that write
continuously. The thing that threw me off is that it wrote a lot of data
at startup and then stopped. So I guess my question is now to understand if
it is normal for unified2 logs to be smaller than fast.log as it does more
filtering before writing. If that is true then I am all set.
Thank you.
Olivier
On Wed, Oct 30, 2013 at 8:59 AM, Victor Julien <lists at inliniac.net> wrote:
> On 10/28/2013 11:56 PM, Doisneau, Olivier wrote:
> > Thank you for your reply. I have noticed that all goes well until I
> > start barnyard2. It then loads the files once into the database and
> > then the suricata files stop writing to fast and unified2 files.
> >
> > The last info in suricata.log is :
> >
> > 28/10/2013 -- 18:50:43 - <Info> - all 2 packet processing threads, 3
> > management threads initialized, engine started.
> >
> > 28/10/2013 -- 18:53:10 - <Info> - More than 1/10th of packets have an
> > invalid checksum, assuming checksum offloading is used (401/1000)
> >
> >
> > 18:53 is when barnyard2 started and these are the timestamps on the
> > files themselves.
> >
> > -rw-r----- 1 root root 103196 Oct 28 18:53 unified2.alert.1383000643
> >
> > -rw-r----- 1 root root 457260 Oct 28 18:53 fast.log
> >
> > -rw-r--r-- 1 root root 10335595 Oct 28 18:55 stats.log
> >
> >
> > So even if I want 1 hour, the timestamp of stats.log will keep on
> > changing but fast.log and unified2 timestamps and sizes are not changing.
> >
> >
> > Hope that helps.
> >
>
> It would be interesting to see the last record of the stats.log, maybe
> it gives us some clues.
>
> Cheers,
> Victor
>
> >
> > On Mon, Oct 28, 2013 at 6:19 PM, Victor Julien <lists at inliniac.net
> > <mailto:lists at inliniac.net>> wrote:
> >
> > On 10/28/2013 06:47 PM, Olivier Doisneau wrote:
> > > I am new to Suricata and not even sure if this is the right place
> > for my question. But in short, I have a server with Suricata
> > installed and running and Barnyard2 to push the logs to the mysql
> > database. All is working fine but I am surprised to see the
> > unified2 file is not growing, Barnyard2 is saying waiting for data
> > but the stats.log is saying that it is moving along. If I stop and
> > restart suricata, then there is data read by Barnyard2 and
> > successfully pushed out. Is data being written to another location
> > than the directory in yaml for the unified2 file? Am I missing
> > something, I imagined that the logs would continue growing all day.
> >
> > Is your fast.log enabled as well? Do you get alerts in there? Maybe
> > there are just no alerts.
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Users mailing list:
> > oisf-users at openinfosecfoundation.org
> > <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131030/bf5d7111/attachment-0002.html>
More information about the Oisf-users
mailing list