[Oisf-users] question about unix_stream and http-logs

jason taylor jtfas90 at gmail.com
Tue Feb 14 13:06:59 UTC 2017

Hi All,

We use the following config snippet on our sensors and recently noticed
that if our application (logstash) is unable to send the unix_stream
events to the logstash destination, suricata will stop firing alerts.

Is this expected behavior?

I am not sure what other information here would be useful, so just let
me know what else would be needed.

suricata.yaml snippet:

  # a line based log of HTTP requests (no alerts)
  - http-log:
      enabled: yes
      filename: /server01/suricata-http.sock
      append: yes
      #extended: yes     # enable this for extended logging information
      custom: yes       # enabled the custom logging format (defined by
      customformat: "%{%D-%H:%M:%S}t.%z|server01|%a|%p|%A|%P|%{X-
      filetype: unix_stream # 'regular', 'unix_stream' or 'unix_dgram'



More information about the Oisf-users mailing list