[Oisf-users] Unified2 file not growing

Victor Julien lists at inliniac.net
Wed Oct 30 13:53:09 UTC 2013 

On 10/30/2013 02:42 PM, Doisneau, Olivier wrote:
> I was told that this was actually normal.  That the unified2 alert log
> will only write if there is an actual alert vs stats.log and fast.log
> that write continuously.  The thing that threw me off is that it wrote a
> lot of data at startup and then stopped. So I guess my question is now
> to understand if it is normal for unified2 logs to be smaller than
> fast.log as it does more filtering before writing.  If that is true then
> I am all set.

Could it be that the alerts you get right after start up are about bad
checksums, or maybe "stream" alerts?

Your output shows:
28/10/2013 -- 18:53:10 - <Info> - More than 1/10th of packets have an
invalid checksum, assuming checksum offloading is used (401/1000)

which indicates that the checksum checks are automatically disabled
after some time. Before that, the engine did consider the checksums,
possibly leading to checksum/stream alerts if you had those rules enabled.

Cheers,
Victor

> 
> Thank you.
> 
> Olivier
> 
> 
> On Wed, Oct 30, 2013 at 8:59 AM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 10/28/2013 11:56 PM, Doisneau, Olivier wrote:
>     > Thank you for your reply.  I have noticed that all goes well until I
>     > start barnyard2.  It then loads the files once into the database and
>     > then the suricata files stop writing to fast and unified2 files.
>     >
>     > The last info in suricata.log is :
>     >
>     > 28/10/2013 -- 18:50:43 - <Info> - all 2 packet processing threads, 3
>     > management threads initialized, engine started.
>     >
>     > 28/10/2013 -- 18:53:10 - <Info> - More than 1/10th of packets have an
>     > invalid checksum, assuming checksum offloading is used (401/1000)
>     >
>     >
>     > 18:53 is when barnyard2 started and these are the timestamps on the
>     > files themselves.
>     >
>     > -rw-r----- 1 root root   103196 Oct 28 18:53 unified2.alert.1383000643
>     >
>     > -rw-r----- 1 root root   457260 Oct 28 18:53 fast.log
>     >
>     > -rw-r--r-- 1 root root 10335595 Oct 28 18:55 stats.log
>     >
>     >
>     > So even if I want 1 hour, the timestamp of stats.log will keep on
>     > changing but fast.log and unified2 timestamps and sizes are not
>     changing.
>     >
>     >
>     > Hope that helps.
>     >
> 
>     It would be interesting to see the last record of the stats.log, maybe
>     it gives us some clues.
> 
>     Cheers,
>     Victor
> 
>     >
>     > On Mon, Oct 28, 2013 at 6:19 PM, Victor Julien <lists at inliniac.net
>     <mailto:lists at inliniac.net>
>     > <mailto:lists at inliniac.net <mailto:lists at inliniac.net>>> wrote:
>     >
>     >     On 10/28/2013 06:47 PM, Olivier Doisneau wrote:
>     >     > I am new to Suricata and not even sure if this is the right
>     place
>     >     for my question.  But in short, I have a server with Suricata
>     >     installed and running and Barnyard2 to push the logs to the mysql
>     >     database.  All is working fine but I am surprised to see the
>     >     unified2 file is not growing, Barnyard2 is saying waiting for data
>     >     but the stats.log is saying that it is moving along.  If I
>     stop and
>     >     restart suricata, then there is data read by Barnyard2 and
>     >     successfully pushed out.  Is data being written to another
>     location
>     >     than the directory in yaml for the unified2 file?  Am I missing
>     >     something, I imagined that the logs would continue growing all
>     day.
>     >
>     >     Is your fast.log enabled as well? Do you get alerts in there?
>     Maybe
>     >     there are just no alerts.
>     >
>     >     --
>     >     ---------------------------------------------
>     >     Victor Julien
>     >     http://www.inliniac.net/
>     >     PGP: http://www.inliniac.net/victorjulien.asc
>     >     ---------------------------------------------
>     >
>     >     _______________________________________________
>     >     Suricata IDS Users mailing list:
>     >     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     >     <mailto:oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>>
>     >     Site: http://suricata-ids.org | Support:
>     >     http://suricata-ids.org/support/
>     >     List:
>     >    
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     >     OISF: http://www.openinfosecfoundation.org/
>     >
>     >
> 
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list