[Oisf-users] question about unix_stream and http-logs

[Andreas Herz]

On 14/02/17 at 08:06, jason taylor wrote:
> We use the following config snippet on our sensors and recently noticed
> that if our application (logstash) is unable to send the unix_stream
> events to the logstash destination, suricata will stop firing alerts.

Every alerts or just the ones for the unix socket?

> Is this expected behavior?

Not sure

> I am not sure what other information here would be useful, so just let
> me know what else would be needed.

What version of suricata are you using?

What happens if the app is able to work again?

-- 
Andreas Herz