[Oisf-users] Not writing to http.log

Peter Manev petermanev at gmail.com
Fri Nov 18 08:49:37 UTC 2016 

On Fri, Oct 28, 2016 at 3:43 PM, Brian Hennigar <bhennigar at gmail.com> wrote:
> I was able to solve this using this older issue
> https://redmine.openinfosecfoundation.org/issues/1291  (the
> redmine.openinfosecfoundation.org site wasn't accessible last night)
>
> Once I enabled the async-oneside: true, it started logging to http.log.

If you had the http logs themselves in eve.json but not in http.log
and they would appear in http.log only when async-oneside is enabled
(while at the same time eve.json is populated with the http logs) -
sounds like a bug to me.

Can you reproduce that consistently ?

>
> Thanks!
>
>
> On Thu, Oct 27, 2016 at 6:25 PM, Andreas Herz <andi at geekosphere.org> wrote:
>>
>> On 27/10/16 at 17:46, Brian Hennigar wrote:
>> > Hi,
>> > I'm running suricata 3.1.2 and everything is working great except that
>> > it
>> > is not writing anything to http.log.  When suricata starts, the file is
>> > created however it is empty. Other log files are being written to.
>> > (dns.log, eve.json, fast.log, alert-debug.log, etc)
>> >
>> > I have it enabled in the yaml
>> >   - http-log:
>> >       enabled: yes
>> >       filename: http.log
>> >       append: yes
>> >
>> > And in suricata.log, it initializes it
>> > <Info> - http-log output device (regular) initialized: http.log
>> >
>> > Running in IDS mode. This configuration has worked for me in the past.
>>
>> So the only change was an update to 3.1.2?
>> From what version did you update?
>>
>> Do you have an example within a pcap with that you can reproduce it?
>>
>> --
>> Andreas Herz
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://suricon.net
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list