suricata stop logging
330 views
Skip to first unread message
Stephane Balaguer
Apr 20, 2017, 5:16:27 AM4/20/17
to security-onion
Hi Guys,
I have a problem with one of my sensors.
The problem is only on 1 monitor interface, for few days now, the sensor didn't update some log files, in my case dns-json.log and dns.log
avril 20 09:09 stats.log
avril 20 09:09 alert-json.log
avril 20 08:56 dns-json.log
avril 20 08:56 dns.log
If i run command : nsm_sensor_ps-restart
DNS log files are correctly populated but after 1 min there is no new data.
Obviously, if i run tcpdump on this interface i can see that DNS traffic is coming well...
I have check logs file for barnyard and suricata but nothing found, I tried to reboot the server but same issue.
For second interface all files are populated correctly...
Any idea to investigate ?
Regards,
Stephane
Wes
Apr 20, 2017, 9:15:19 PM4/20/17
to security-onion
Stephane,
Please provide the output of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com
Thanks,
Wes
Stephane Balaguer
Apr 21, 2017, 5:14:09 AM4/21/17
to securit...@googlegroups.com
Hi Wes,
Stephane
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/ttchNgEOTgs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Wes Lambert
Apr 21, 2017, 3:13:00 PM4/21/17
to securit...@googlegroups.com
Stephane,
I don't see much of an issue with anything from your sostat output. I also don't think those logs are enabled hy default with Security Onion. Do you have any issue with Bro's DNS log being updated?
Thanks,
Wes
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
Stephane Balaguer
Apr 24, 2017, 7:51:33 AM4/24/17
to securit...@googlegroups.com
Wes,
seems to be ok for bro :/nsm/bro/logs/current$ 255828119 avril 24 07:11 dns.log
/nsm/bro/logs/current$ date
lundi 24 avril 2017, 07:12:28 (UTC+0000)
Wes Lambert
Apr 24, 2017, 2:04:19 PM4/24/17
to securit...@googlegroups.com
Stephane,
Did you back up this file before you made your changes? Have you compared your changes for this particular interface's conif file to one that works? Would you be able to provide the output of suricata,yaml?
Thanks,
Wes
Stephane Balaguer
Apr 25, 2017, 3:23:54 AM4/25/17
to securit...@googlegroups.com
Hi Wes,
Ok good news, problem is now fixed.enabled: yes
type: file
filename: dns-json.log
types:
- dns
- eve-log:
enabled: yes
type: file
filename: web-json.log
types:
- http:
extended: yes # enable this for extended logging information
- tls:
extended: yes # enable this for extended logging information
- eve-log:
enabled: yes
type: file
filename: ssh-json.log
types:
- ssh
and insert only eve-log needed (cf file conf attached)
-
Reply all
Reply to author
Forward
0 new messages