[Oisf-users] question about unix_stream and http-logs
jason taylor
jtfas90 at gmail.com
Wed Feb 15 20:44:12 UTC 2017
On Wed, 2017-02-15 at 21:24 +0100, Andreas Herz wrote:
> On 14/02/17 at 08:06, jason taylor wrote:
> > We use the following config snippet on our sensors and recently
> > noticed
> > that if our application (logstash) is unable to send the
> > unix_stream
> > events to the logstash destination, suricata will stop firing
> > alerts.
>
> Every alerts or just the ones for the unix socket?
>
> > Is this expected behavior?
>
> Not sure
>
> > I am not sure what other information here would be useful, so just
> > let
> > me know what else would be needed.
>
> What version of suricata are you using?
3.1.2 from EPEL
> What happens if the app is able to work again?
>
Suricata generally processes alerts again if logstash starts sending
data off the socket again. However, suricata doesn't always and
sometimes requires a restart.
JT
More information about the Oisf-users
mailing list