[Oisf-users] rule profiling question - no log files created
Konrad Weglowski
konrad.weglowski at gmail.com
Thu Jan 24 20:02:20 UTC 2019
Hello,
One more thing I wanted to ask. Are the rule profiling logs written only
when suricata process is restarted/shut down? We are running Suricata
inside a docker container, maybe that has something to do with it (when
process is terminated, container goes down basically)
Thanks,
Konrad
On Thu, Jan 24, 2019 at 11:22 AM Konrad Weglowski <
konrad.weglowski at gmail.com> wrote:
> Hey Andreas,
>
> Sorry for late reply. I did run a pcap as per below and I can see rule
> profiling logs appear.
>
> suricata --runmode single -r <pcap file>
>
> Is there a way to get this to work with pfring?
>
> Thanks,
>
> Konrad
>
> On Tue, Jan 15, 2019 at 4:03 PM Andreas Herz <andi at geekosphere.org> wrote:
>
>> Hi Konrad,
>>
>> On 15/01/19 at 15:39, Konrad Weglowski wrote:
>> > Hey Andreas,
>> >
>> > I did double check with "--build-info" command that it is enabled and
>> log
>> > dir is set correct/writable - other logs get written there no problem
>> > (alerts,stats, etc)
>> >
>> > build-info related output:
>> > ---
>> > Profiling enabled: yes
>> > Profiling locks enabled: no
>> > ---
>> >
>> > Below is command to run suricata used:
>> >
>> > suricata --pfring-int=p4p1 --pfring-cluster-id=98
>> > --pfring-cluster-type=cluster_flow --pidfile /var/run/suricata.pid
>>
>> Could you try another runmode? At least with a test .pcap and the -r
>> runmode and see if it's working then?
>>
>> > Do I need anything added under "outputs" section? Currently we use
>> eve-log
>> > format for alerts and stats which is configured there.
>> >
>> > Thanks
>> >
>> > Konrad
>> >
>> > On Tue, Jan 8, 2019 at 3:30 PM Andreas Herz <andi at geekosphere.org>
>> wrote:
>> >
>> > > Hi Konrad,
>> > >
>> > > On 08/01/19 at 15:01, Konrad Weglowski wrote:
>> > > > Hello,
>> > > >
>> > > > I would like to enable rule profiling for tuning purposes. Suricata
>> has
>> > > > been compiled with profiling option and below config is in the
>> > > > suricata.yaml. None of the log files are being created however...do
>> you
>> > > > know what can be possibly missing here?
>> > >
>> > > Did you double check if it's enabled when you pass '--build-info'?
>> > >
>> > > How do you start/run suricata?
>> > >
>> > > The log dir is set correct and writeable?
>> > >
>> > > Greetings
>> > >
>> > > --
>> > > Andreas Herz
>> > > _______________________________________________
>> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > >
>> > > Conference: https://suricon.net
>> > > Trainings: https://suricata-ids.org/training/
>>
>> --
>> Andreas Herz
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190124/87109750/attachment-0001.html>
More information about the Oisf-users
mailing list