[Oisf-users] Searching Suricata logs
Charles Devoe
Charles.Devoe at cisecurity.org
Fri Jul 14 17:52:25 UTC 2017
I am looking for just the errors. In Splunk it parses as such. I would like to know if I search for either error or ERR that I will get all errors.
engine: { [-]<http://192.168.3.63:8000/en-US/app/search/search?earliest=-30d%40d&latest=now&q=search%20host%3D*%20source%3D%22%2Fvar%2Flog%2Fsuricata.log%22%20%20ERR&display.page.search.mode=verbose&dispatch.sample_ratio=1&sid=1500054577.4582>
error: SC_ERR_NO_RULES_LOADED
error_code: 43
message: 1 rule files specified, but no rule was loaded at all!
Charles DeVoe Jr.
Manager of Engineering
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
charles.devoe at cisecurity.org
(518) 266-3494
7x24 Security Operations Center
SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 1-866-787-4722
[cid:image001.png at 01D2FCA8.6C9DC570]
[id:image002.png at 01D2926D.D9CF2E90] <https://www.facebook.com/CenterforIntSec> [id:image003.png at 01D2926D.D9CF2E90] <https://twitter.com/CISecurity> [id:image004.png at 01D2926D.D9CF2E90] <https://www.youtube.com/user/TheCISecurity> [id:image005.png at 01D2926D.D9CF2E90] <https://www.linkedin.com/company/the-center-for-internet-security>
From: Eric Leblond <eric at regit.org>
Date: Friday, July 14, 2017 at 1:30 PM
To: Charles Devoe <Charles.Devoe at cisecurity.org>, "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Searching Suricata logs
Hi,
On Fri, 2017-07-14 at 17:02 +0000, Charles Devoe wrote:
> I am attempting to watch the log files from suricata that are in json
> format. I specifically want to watch for errors. Can I assume all
> error conditions will have the word “error”?
If by error you mean Suricata error like engine error, you will not
find them in the eve.json file but rather in suricata.log that can also
be in json.
If ever all you logs get to a database you can look for
event_type:engine to find them.
BR,
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/<https://home.regit.org/>
.....
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/528ba678/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14323 bytes
Desc: image001.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/528ba678/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1892 bytes
Desc: image002.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/528ba678/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2176 bytes
Desc: image003.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/528ba678/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1889 bytes
Desc: image004.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/528ba678/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2058 bytes
Desc: image005.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/528ba678/attachment-0014.png>
More information about the Oisf-users
mailing list