[Oisf-users] Issues with suricata eve.json datagramm logging?

[Cooper F. Nelson]

I saw that article, however it appears to be using the suricata 'file'
(vs. native syslog) output.  Syslog-ng is then monitoring the log file.
 I would prefer to avoid any disk I/O if at all possible.

I experimented with the 4-series beta from git and observed the behavior
you mention (suricata reporting dropped events).

Some googling/tuning turned up this /etc/sysctl.conf setting that
appears to improve performance when using dgram output ...

> net.unix.max_dgram_qlen=65535

... so you might want to look into making that a recommend setting, or
auto-configuring it if suricata is built with sockets enabled.

-Coop

On 5/24/2017 5:48 PM, Jason Ish wrote:
> There is a recent blog post about using syslog-ng, not sure if it will
> fit your use case though:
> 
> https://www.balabit.com/blog/collecting-and-parsing-suricata-logs-using-syslog-ng/
> 
> 
> But I think your end-goal will determine ultimately whats best for you.
> In an environment that generates lots of logs I'd probably opt not to
> use unix_sock or unix_dgram right now. If the receiver can't keep up to
> the pace of events, it could actually cause Suricata to drop packets.
> The next release of Suricata will drop events if the receiver can't keep
> up instead of blocking packets.
> 
> But if your syslog daemon is syslog-ng, I'd maybe just try using plain
> old syslog before bothering with the socket, but I don't really have any
> experience with doing that myself.
> 
> Jason


-- 
Cooper Nelson
IT Security - Information Technology Services
University of California San Diego
(858) 534-6487 - cnelson at ucsd.edu
https://cybersecurity.ucsd.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170525/f33aa2c6/attachment-0002.sig>