Hello, I was wondering why I have many alerts in fast.log, but only a few in alert-debug. Is there a certain criteria that needs to be met to send alerts to alert-debug?
Thank you
What version of Suricata are you using?
Could you show the alert-debug configuration snippet from suricata.yaml?
Here’s the snippet from the config file i’m using
# a full alert log containing much information for signature writers
# or for investigating suspected false positives.
- alert-debug:
enabled: yes
filename: alert-debug.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
If the log is enabled and there’s an alert, it’ll be sent to the enabled outputs, including alert-debug.log
Hi Jeff,
I’m using Suricata 4.1.10, my config is the same as yours. The problem is that some alerts are being sent to alert-debug, but not all. Which is why I thinking there is some sort of criteria for alerts to be sent to alert-debug.
Thanks,
4.1.10 is EOL, so please upgrade to a current supported version.
Nevertheless, can you post some examples?
I have a similar problem,
I use the latest version,
But my two files(fast.log,alert-debug.log) are inconsistent
For example, rules related to the dns protocol cannot be triggered in two log files at the same time