[Oisf-users] change destination of pcap files
erik clark
philosnef at gmail.com
Tue Feb 21 13:58:55 UTC 2017
Sorry for the spam. I let suri run in the non-logging state for a few
minutes, and finally got output. I have a huge number of kernel_drops, a
bunch of log.pcap.usec files, but no updates to eve.json. Is log-pcap
incompatible with eve.json logging?
On Tue, Feb 21, 2017 at 8:35 AM, erik clark <philosnef at gmail.com> wrote:
> As an aside, if I set pcap-log to enabled: yes, I get zero alerts in
> eve.json, and no pcap files. Moreover, stats in eve.json indicate that suri
> apparently is not capturing traffic anymore either... What am I doing
> wrong? :D
>
> On Tue, Feb 21, 2017 at 8:11 AM, erik clark <philosnef at gmail.com> wrote:
>
>> I am trying to change the location of the pcap files being generated on
>> alert to
>>
>> /opt/suricata/var/pcap
>>
>> Also, I cant seem to capture this anyway. I have
>>
>> - eve-log:
>> types:
>> - alert:
>> packet: yes
>>
>> but I see nowhere that the files are being captured. Please advise what I
>> did wrong. Thanks!
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170221/fce2ef5c/attachment-0002.html>
More information about the Oisf-users
mailing list