[Oisf-users] Each worker with a eve.json
Jason Ish
jason.ish at oisf.net
Fri Sep 20 16:44:48 UTC 2019
Hi David,
On 2019-09-16 9:29 a.m., David Decker wrote:
> So this might sound off but trying to figure this out.
>
> I have a machine with 2 "eve.jsons", one under suricata at 0 and another at
> suricata at 1. I was told this was due to the amount of workers allocated
> to suricata. I cant seem to find any information on this type of setup,
> and wanted to see if I can get some info to try and narrow it down.
As far as I know this isn't a default configuration, when installed by
source, or with the major distributions, so it sounds like a bit of a
custom setup.
>
> Is there a way to see how many workers are allocated? And from there
> which get sent to which suricata eve.json.
>
> I believe I only see one suricata.yaml file as of right now. Any other
> information needed I can try and provide.
The uses cases for 2 eve.json output files I can think of off the top of
my head are:
- multiple eve log instances in the suricata.yaml, often to send
different types of events to different files
- multiple instances of suricata, perhaps for monitoring multiple
interfaces, with each instance logging to its own file.
Hope that helps,
Jason
More information about the Oisf-users
mailing list