[Oisf-users] File-store Version 2
Jeremy A. Grove
jgrove at quadrantsec.com
Tue Feb 27 15:39:08 UTC 2018
Hi There,
I am using Suricata 4.0..3 and I am trying to convert file-store to version but it does not seem to be recognizing the change. Secondly, I am attempting to begin using the waldo file feature and it isnt being used. I have pasted that section below for reference.
Example of my issue is that in File-store version 1 you use "log-dir" versus in version 2 you use "dir", according to the documentation, but with "version 2" in the yaml it does not recognize "dir", which is why the below example is using "log-dir".
Any Ideas of what I am missing?
- file-store:
version: 2
enabled: yes # set to yes to enable
log-dir: /var/log/suricata/files/ # directory to store the files
force-magic: yes # force logging magic on all stored files
write-fileinfo: yes
force-hash: [md5,sha256]
force-filestore: no # force storing of all files
stream-depth: 0
waldo: file.waldo # waldo file to store the file_id across runs
Exert from start up log:
27/2/2018 -- 15:10:19 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed
27/2/2018 -- 15:10:19 - <Info> - Threshold config parsed: 0 rule(s) found
27/2/2018 -- 15:10:19 - <Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only
27/2/2018 -- 15:10:19 - <Info> - dropped the caps for main thread
27/2/2018 -- 15:10:19 - <Info> - fast output device (regular) initialized: fast.log
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/dns.json
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/tls.json
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/files.json
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/http.json
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/ssh.json
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/smtp.json
27/2/2018 -- 15:10:19 - <Info> - eve-log output device (regular) initialized: /var/log/suricata/flows/current/flow.json
27/2/2018 -- 15:10:19 - <Info> - Using log dir /var/tmp/openfpyc/pcap/
27/2/2018 -- 15:10:19 - <Info> - using normal logging
27/2/2018 -- 15:10:19 - <Info> - stats-json output device (regular) initialized: /var/log/suricata/stats/stats-meta.log
27/2/2018 -- 15:10:19 - <Info> - Syslog output initialized
27/2/2018 -- 15:10:19 - <Info> - forcing magic lookup for stored files
27/2/2018 -- 15:10:19 - <Info> - storing files in /var/log/suricata/files/
27/2/2018 -- 15:10:19 - <Info> - file-log output device (regular) initialized: files-json.log
27/2/2018 -- 15:10:19 - <Info> - forcing magic lookup for logged files
27/2/2018 -- 15:10:19 - <Info> - Going to use 8 thread(s)
27/2/2018 -- 15:10:19 - <Info> - Initializing PCAP ring buffer for /var/tmp/openfpyc/pcap//openfpyc.pcap.
27/2/2018 -- 15:10:19 - <Notice> - Ring buffer initialized with 415 files.
27/2/2018 -- 15:10:19 - <Info> - Going to use 8 thread(s)
27/2/2018 -- 15:10:19 - <Info> - Going to use 8 thread(s)
27/2/2018 -- 15:10:19 - <Notice> - all 24 packet processing threads, 4 management threads initialized, engine started.
Jeremy Grove, SSCP
Senior Information Security Analyst
Quadrant Information Security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180227/bc60d9d2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2204 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180227/bc60d9d2/attachment-0001.bin>
More information about the Oisf-users
mailing list