[Oisf-users] problem with suricata3 stats logs

Andreas Moe moe.andreas at gmail.com
Wed Nov 16 19:07:37 UTC 2016 

Have you tried increasing the verbosity of the logging? add "-vv" as a
commandline flag when you run Suricata.

ons. 16. nov. 2016 kl. 20.05 skrev erik clark <philosnef at gmail.com>:

> I am specifying it at run time. My suricata.log has nothing indicating
> method of acquisition... wether I use afpacket or pfring. All I have, other
> than the startup message, is an event message indicating that all packet
> processing threads, management threads initialized,, engine started.
>
> On Wed, Nov 16, 2016 at 2:00 PM, Andreas Moe <moe.andreas at gmail.com>
> wrote:
>
> I know that it was previously in the stats.log, but that has been changed,
> to make a more uniform logging format, for many different reasons. But,
> what i was trying to convey, was that in the suricata application log, it
> should indicate what kind of packet acquisition method is being utilized.
> AKA, the suricata.log should say if either AF-PACKET or PF_RING is being
> used. But then again, why are you not specifiing this when starting
> Suricata? You cannot use them at the same time.
>
> ons. 16. nov. 2016 kl. 19.55 skrev erik clark <philosnef at gmail.com>:
>
> No. Previously this was in stats.log. Right now I have zero ways of
> telling if pf_ring or af_packet is being properly used. :)
>
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>
>
> capture.kernel_packets    | AFPacketeth315            | 1436331302
> capture.kernel_drops      | AFPacketeth315            | 0
> capture.kernel_packets    | AFPacketeth316            | 1449320230
> capture.kernel_drops      | AFPacketeth316            | 0
>
>
> On Wed, Nov 16, 2016 at 1:51 PM, Andreas Moe <moe.andreas at gmail.com>
> wrote:
>
> Shouldnt suricata logging (suricata.log if enabled, and not sure of what
> verbose level needed) indicate what acquisition method is used?
>
> Den ons. 16. nov. 2016, 19:45 skrev erik clark <philosnef at gmail.com>:
>
> Ok, so I can't tell if either pfring or afpacket is actually being used by
> suricata. Previous versions of suricata had AFPacket in the stats.log
> indicating one or the other is loaded. Now, all it says:
>
> (stat) | W#12-em3 | (value)
>
> How can I tell that either afpacket or pfring is _actually_ being used as
> expected, when nothing in the stats.log file indicates that this is the
> case? Thanks!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161116/6acea370/attachment-0002.html>

More information about the Oisf-users mailing list