[Oisf-users] suricata vlan log - onionsecurity is ok, selks ko

Thu Feb 26 22:37:46 UTC 2015

On Thu, Feb 26, 2015 at 10:51 PM, john nesh <john.nesh76 at gmail.com> wrote:
> Seems not working also in this way.
> Is there anything else I could check?

Do you have vlan IDs in eve.json ?

>
> 2015-02-26 21:53 GMT+01:00 Peter Manev <petermanev at gmail.com>:
>>
>> On Thu, Feb 26, 2015 at 9:43 PM, john nesh <john.nesh76 at gmail.com> wrote:
>> > You are right,
>> >
>> > rx-vlan-offload: on
>> > tx-vlan-offload: on
>> >
>> > Do I have to disable it?
>>
>> Just run that -
>> /opt/selks/Scripts/Setup/reconfigure-listening-interface_stamus.sh
>>
>>
>>
>> >
>> > 2015-02-26 21:04 GMT+01:00 Peter Manev <petermanev at gmail.com>:
>> >>
>> >> On Thu, Feb 26, 2015 at 8:18 PM, john nesh <john.nesh76 at gmail.com>
>> >> wrote:
>> >> > Hi,
>> >> >
>> >> > I am facing a different behaviour regarding vlans in logs.
>> >> > I made an installation of securityonion and vlan worked log in
>> >> > eve.json
>> >> > worked flawlessy but not in selks.
>> >> > I have read that vlan behaviour had changed in 2.1
>> >> >
>> >> > in my suricata.yaml I have:
>> >> >
>> >> >  vlan:
>> >> >    use-for-tracking: true
>> >> >
>> >> > But I have no log in eve.json.
>> >> > Is this an expected behaviour?
>> >>
>> >> You might have vlan offloading enabled on your NIC - if that is the
>> >> case you would need to disable it.
>> >> (ethtool -k interface - will show the status)
>> >>
>> >> >
>> >> > John
>> >> >
>> >> > _______________________________________________
>> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >> > Site: http://suricata-ids.org | Support:
>> >> > http://suricata-ids.org/support/
>> >> > List:
>> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> > Training now available: http://suricata-ids.org/training/
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>

-- 
Regards,
Peter Manev