[Oisf-users] question about unix_stream and http-logs
jason taylor
jtfas90 at gmail.com
Tue Feb 14 13:06:59 UTC 2017
Hi All,
We use the following config snippet on our sensors and recently noticed
that if our application (logstash) is unable to send the unix_stream
events to the logstash destination, suricata will stop firing alerts.
Is this expected behavior?
I am not sure what other information here would be useful, so just let
me know what else would be needed.
suricata.yaml snippet:
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: yes
filename: /server01/suricata-http.sock
append: yes
#extended: yes # enable this for extended logging information
custom: yes # enabled the custom logging format (defined by
customformat)
customformat: "%{%D-%H:%M:%S}t.%z|server01|%a|%p|%A|%P|%{X-
Forwarded-For}i|%m|%h|%u|%{referer}i|%{User-agent}i|%{Accept-
Language}i|%s"
filetype: unix_stream # 'regular', 'unix_stream' or 'unix_dgram'
TIA
JT
More information about the Oisf-users
mailing list