[Oisf-users] rule profiling question - no log files created

Konrad Weglowski konrad.weglowski at gmail.com
Fri Jan 25 19:12:14 UTC 2019


Hey Andreas,

It turns out the problem is docker related. When container stops, Suricata
doesn't have a chance to write the performance logs basically. If I run it
manually inside the container and stop it without killing the container
itself, I get the logs.

Thanks for your help again.

Konrad


On Thu, Jan 24, 2019 at 3:02 PM Konrad Weglowski <konrad.weglowski at gmail.com>
wrote:

> Hello,
>
> One more thing I wanted to ask. Are the rule profiling logs written only
> when suricata process is restarted/shut down? We are running Suricata
> inside a docker container, maybe that has something to do with it (when
> process is terminated, container goes down basically)
>
> Thanks,
>
> Konrad
>
>
> On Thu, Jan 24, 2019 at 11:22 AM Konrad Weglowski <
> konrad.weglowski at gmail.com> wrote:
>
>> Hey Andreas,
>>
>> Sorry for late reply. I did run a pcap as per below and I can see rule
>> profiling logs appear.
>>
>> suricata --runmode single -r <pcap file>
>>
>> Is there a way to get this to work with pfring?
>>
>> Thanks,
>>
>> Konrad
>>
>> On Tue, Jan 15, 2019 at 4:03 PM Andreas Herz <andi at geekosphere.org>
>> wrote:
>>
>>> Hi Konrad,
>>>
>>> On 15/01/19 at 15:39, Konrad Weglowski wrote:
>>> > Hey Andreas,
>>> >
>>> > I did double check with "--build-info" command that it is enabled and
>>> log
>>> > dir is set correct/writable - other logs get written there no problem
>>> > (alerts,stats, etc)
>>> >
>>> > build-info related output:
>>> > ---
>>> >   Profiling enabled:                       yes
>>> >   Profiling locks enabled:                 no
>>> > ---
>>> >
>>> > Below is command to run suricata used:
>>> >
>>> > suricata --pfring-int=p4p1 --pfring-cluster-id=98
>>> > --pfring-cluster-type=cluster_flow --pidfile /var/run/suricata.pid
>>>
>>> Could you try another runmode? At least with a test .pcap and the -r
>>> runmode and see if it's working then?
>>>
>>> > Do I need anything added under "outputs" section? Currently we use
>>> eve-log
>>> > format for alerts and stats which is configured there.
>>> >
>>> > Thanks
>>> >
>>> > Konrad
>>> >
>>> > On Tue, Jan 8, 2019 at 3:30 PM Andreas Herz <andi at geekosphere.org>
>>> wrote:
>>> >
>>> > > Hi Konrad,
>>> > >
>>> > > On 08/01/19 at 15:01, Konrad Weglowski wrote:
>>> > > > Hello,
>>> > > >
>>> > > > I would like to enable rule profiling for tuning purposes.
>>> Suricata has
>>> > > > been compiled with profiling option and below config is in the
>>> > > > suricata.yaml. None of the log files are being created
>>> however...do you
>>> > > > know what can be possibly missing here?
>>> > >
>>> > > Did you double check if it's enabled when you pass '--build-info'?
>>> > >
>>> > > How do you start/run suricata?
>>> > >
>>> > > The log dir is set correct and writeable?
>>> > >
>>> > > Greetings
>>> > >
>>> > > --
>>> > > Andreas Herz
>>> > > _______________________________________________
>>> > > Suricata IDS Users mailing list:
>>> oisf-users at openinfosecfoundation.org
>>> > > Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> > > List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> > >
>>> > > Conference: https://suricon.net
>>> > > Trainings: https://suricata-ids.org/training/
>>>
>>> --
>>> Andreas Herz
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190125/97d06a67/attachment.html>


More information about the Oisf-users mailing list