[Oisf-users] multicore http requests logging

Peter Manev petermanev at gmail.com
Tue Sep 27 07:56:11 UTC 2016


On Tue, Sep 27, 2016 at 8:43 AM, MichaƂ D <michu162 at gmail.com> wrote:
> Hello,
>
> I would like to use suricata only to log incoming http requests and save
> them as json into file (http.json).

If this is the only thing you need to do  - log http request only - no
inspection, no alerts.
You can try the nsm mode (./configure --disable-detection .....) and
enable only http logs in the eve-log section of suricata.yaml.

> I have server with two 10G interfaces where I'm receiving mirrored traffic,
> 48GB of RAM and Intel(R) Xeon(R) CPU E5540 2.53GHz with 16 cores
> Configuration of suricata and build-info you can find here:
> http://pastebin.com/CriMdqJP
>
> Currently it works in PCAP mode, but I can see 100% usage only of 2 CPU
> cores and a lot of drops.
> (/usr/bin/suricata -c /etc/suricata/suricata.yaml --disable-detection
> --pidfile /var/run/suricata.pid --pcap=p2p1 --pcap=p2p2 -D -vvv -F
> /etc/suricata/bpf_filter.txt)
>
> How should I configure & run suricata to have no drops and use all cores?
>
> Regards
> Michal
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list