[Oisf-users] rule profiling question - no log files created
Konrad Weglowski
konrad.weglowski at gmail.com
Thu Jan 24 16:22:53 UTC 2019
Hey Andreas,
Sorry for late reply. I did run a pcap as per below and I can see rule
profiling logs appear.
suricata --runmode single -r <pcap file>
Is there a way to get this to work with pfring?
Thanks,
Konrad
On Tue, Jan 15, 2019 at 4:03 PM Andreas Herz <andi at geekosphere.org> wrote:
> Hi Konrad,
>
> On 15/01/19 at 15:39, Konrad Weglowski wrote:
> > Hey Andreas,
> >
> > I did double check with "--build-info" command that it is enabled and log
> > dir is set correct/writable - other logs get written there no problem
> > (alerts,stats, etc)
> >
> > build-info related output:
> > ---
> > Profiling enabled: yes
> > Profiling locks enabled: no
> > ---
> >
> > Below is command to run suricata used:
> >
> > suricata --pfring-int=p4p1 --pfring-cluster-id=98
> > --pfring-cluster-type=cluster_flow --pidfile /var/run/suricata.pid
>
> Could you try another runmode? At least with a test .pcap and the -r
> runmode and see if it's working then?
>
> > Do I need anything added under "outputs" section? Currently we use
> eve-log
> > format for alerts and stats which is configured there.
> >
> > Thanks
> >
> > Konrad
> >
> > On Tue, Jan 8, 2019 at 3:30 PM Andreas Herz <andi at geekosphere.org>
> wrote:
> >
> > > Hi Konrad,
> > >
> > > On 08/01/19 at 15:01, Konrad Weglowski wrote:
> > > > Hello,
> > > >
> > > > I would like to enable rule profiling for tuning purposes. Suricata
> has
> > > > been compiled with profiling option and below config is in the
> > > > suricata.yaml. None of the log files are being created however...do
> you
> > > > know what can be possibly missing here?
> > >
> > > Did you double check if it's enabled when you pass '--build-info'?
> > >
> > > How do you start/run suricata?
> > >
> > > The log dir is set correct and writeable?
> > >
> > > Greetings
> > >
> > > --
> > > Andreas Herz
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190124/30f1b9b8/attachment.html>
More information about the Oisf-users
mailing list