[Oisf-users] File-store Version 2

Tue Feb 27 15:39:08 UTC 2018

Hi There, 

I am using Suricata 4.0..3 and I am trying to convert file-store to version but it does not seem to be recognizing the change. Secondly, I am attempting to begin using the waldo file feature and it isnt being used. I have pasted that section below for reference. 

Example of my issue is that in File-store version 1 you use "log-dir" versus in version 2 you use "dir", according to the documentation, but with "version 2" in the yaml it does not recognize "dir", which is why the below example is using "log-dir". 

Any Ideas of what I am missing? 

- file-store: 
version: 2 
enabled: yes # set to yes to enable 
log-dir: /var/log/suricata/files/ # directory to store the files 
force-magic: yes # force logging magic on all stored files 
write-fileinfo: yes 
force-hash: [md5,sha256] 
force-filestore: no # force storing of all files 
stream-depth: 0 
waldo: file.waldo # waldo file to store the file_id across runs 

Exert from start up log: 

27/2/2018 -- 15:10:19 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed 
27/2/2018 -- 15:10:19 - <Info> - Threshold config parsed: 0 rule(s) found 
27/2/2018 -- 15:10:19 - <Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only 
27/2/2018 -- 15:10:19 - <Info> - dropped the caps for main thread 
27/2/2018 -- 15:10:19 - <Info> - fast output device (regular) initialized: fast.log 
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/dns.json 
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/tls.json 
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/files.json 
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/http.json 
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/ssh.json 
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/smtp.json 
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/flow.json 
27/2/2018 -- 15:10:19 - <Info> - Using log dir /var/tmp/openfpyc/pcap/ 
27/2/2018 -- 15:10:19 - <Info> - using normal logging 
27/2/2018 -- 15:10:19 - <Info> - stats-json output device (regular) initialized: /var/log/suricata/stats/stats-meta.log 
27/2/2018 -- 15:10:19 - <Info> - Syslog output initialized 
27/2/2018 -- 15:10:19 - <Info> - forcing magic lookup for stored files 
27/2/2018 -- 15:10:19 - <Info> - storing files in /var/log/suricata/files/ 
27/2/2018 -- 15:10:19 - <Info> - file-log output device (regular) initialized: files-json.log 
27/2/2018 -- 15:10:19 - <Info> - forcing magic lookup for logged files 
27/2/2018 -- 15:10:19 - <Info> - Going to use 8 thread(s) 
27/2/2018 -- 15:10:19 - <Info> - Initializing PCAP ring buffer for /var/tmp/openfpyc/pcap//openfpyc.pcap. 
27/2/2018 -- 15:10:19 - <Notice> - Ring buffer initialized with 415 files. 
27/2/2018 -- 15:10:19 - <Info> - Going to use 8 thread(s) 
27/2/2018 -- 15:10:19 - <Info> - Going to use 8 thread(s) 
27/2/2018 -- 15:10:19 - <Notice> - all 24 packet processing threads, 4 management threads initialized, engine started. 

Jeremy Grove, SSCP 
Senior Information Security Analyst 
Quadrant Information Security 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180227/bc60d9d2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2204 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180227/bc60d9d2/attachment-0001.bin>