[Oisf-users] Suricata not writing to unified2

Peter Manev petermanev at gmail.com
Sat Nov 28 10:07:21 UTC 2015 

On Sat, Nov 28, 2015 at 12:23 AM, Brian Hennigar <bhennigar at gmail.com> wrote:
> No, that file is empty.

If you have alerts there  - you should also have something in unified2.

So if you try to test - you can test with " wget testmyids.com " or
you can run a pcap that you know for sure triggers alerts - you should
be able to confirm that the log files populate -

root at LTS-64-1:~ # ll -lh /var/log/suricata/
total 616K
drwxr-xr-x  5 root root    12K Nov 28 11:05 ./
drwxrwxr-x 26 root syslog 4.0K Nov 28 10:46 ../
drwxr-xr-x  2 root root    20K Jul 14 14:45 certs/
drwxr-xr-x  2 root root   4.0K Nov 25 17:25 core/
-rw-r--r--  1 root root   305K Nov 28 11:05 eve.json
-rw-r--r--  1 root root    91K Nov 28 11:05 fast.log
drwxr-xr-x  2 root root   4.0K Nov 25 17:25 files/
-rw-r--r--  1 root root    64K Nov 28 11:05 http.log
-rw-r--r--  1 root root   3.9K Nov 28 11:05 stats.log
-rw-r--r--  1 root root   6.9K Nov 28 11:05 suricata.log
-rw-r--r--  1 root root    89K Nov 28 11:05 unified2.alert.1448705134
root at LTS-64-1:~ #

Also - make sure there are no unwanted/unexpected changes to
suricata.yaml - variables etc...

>
> On Fri, Nov 27, 2015 at 6:38 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Fri, Nov 27, 2015 at 9:53 PM, Brian Hennigar <bhennigar at gmail.com>
>> wrote:
>> > I've upgraded to suricata 2.0.10 today and since the upgrade, Suricata
>> > is
>> > not writing to the unified2.alert file.
>> > It creates the file when it starts however the file size stays at 0. The
>> > alert-debug.log file does not change either.
>> >
>> > The system is Ubuntu server 14.04 x64. I used apt-get upgrade to install
>> > the
>> > lastest stable release.
>> >
>> > What I can try to get the alerts to write?  Everything was working
>> > before
>> > the upgrade. The process stays running once started.
>>
>> Do you have alerts in fast.log?
>>
>> >
>> >
>> > Thanks,
>> > Brian
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 4 & 5 in Barcelona:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list