[Oisf-users] question about unix_stream and http-logs
Andreas Herz
andi at geekosphere.org
Wed Feb 15 20:53:01 UTC 2017
On 15/02/17 at 15:44, jason taylor wrote:
> On Wed, 2017-02-15 at 21:24 +0100, Andreas Herz wrote:
> > On 14/02/17 at 08:06, jason taylor wrote:
> > > We use the following config snippet on our sensors and recently
> > > noticed
> > > that if our application (logstash) is unable to send the
> > > unix_stream
> > > events to the logstash destination, suricata will stop firing
> > > alerts.
> >
> > Every alerts or just the ones for the unix socket?
> >
> > > Is this expected behavior?
> >
> > Not sure
> >
> > > I am not sure what other information here would be useful, so just
> > > let
> > > me know what else would be needed.
> >
> > What version of suricata are you using?
>
> 3.1.2 from EPEL
>
Could you test with 3.2.1 as well?
> > What happens if the app is able to work again?
> >
> Suricata generally processes alerts again if logstash starts sending
> data off the socket again. However, suricata doesn't always and
> sometimes requires a restart.
So you see that alerts at all stop not just the ones for the http.log so
if that is still the same with 3.2.1 please fill a bug report at our
redmine.
If possible try to find a "easy" way to trigger/reproduce it.
Thanks
--
Andreas Herz
More information about the Oisf-users
mailing list