I’m using Suricata to output logs with the following configuration:
filetype: unix_stream,
filename: /var/lib/suricata/unix_alert.socket
When Suricata is running in multithreaded mode, the data received from /var/lib/suricata/unix_alert.socket is sometimes incomplete JSON.
I’m looking for a solution to this issue.
My suricata version: 8.0.0-beta1 RELEASE
Can you post the eve-log section from suricata.yaml?
sure, here is my config
- eve-log:
enabled: yes
#filetype: regular
filetype: unix_stream
#filename: flow.json
filename: /var/lib/suricata/unix_flow.socket
types:
- flow
Can you show a few examples of what the truncated items look like?
What process is receiving the alerts and persisting them?
I use go function to listen /var/lib/suricata/unix_flow.socket
the error message is :
{"data":"OjQwMTY0LCJ0b2Ffc3JjX2lwIjoiMC4wLjAuMCIsInRvYV9zcmNfcG9ydCI6MCwiZGVzdF9pcCI6IjEuMTgwLjIxMy4xMDkiLCJkZXN0X3BvcnQiOjQ0MywiZGlyX2NoZWNrIjoyLCJwcm90byI6IlRDUCIsImZsb3ciOnsicGt0c190b3NlcnZlciI6MzIsInBrdHNfdG9jbGllbnQiOjI2LCJieXRlc190b3NlcnZlciI6MjE5MDIsImJ5dGVzX3RvY2xpZW50Ijo5MTExLCJmbG93X3N0YXJ0IjoiMjAyNS0wNS0yMlQyMTowMzoxNi4yMjkxMTUrMDgwMCIsImZsb3dfZW5kIjoiMjAyNS0wNS0yMlQyMTowMzoxOS4xMzk4NzUrMDgwMCIsImFnZSI6Mywic3RhdGUiOiJuZXciLCJyZWFzb24iOiJ0aW1lb3V0IiwiYWxlcnRlZCI6ZmFsc2UsImV4Y2VwdGlvbl9wb2xpY3kiOlt7InRhcmdldCI6InN0cmVhbV9taWRzdHJlYW0iLCJwb2xpY3kiOiJpZ25vcmUifSx7InRhcmdldCI6ImFwcF9sYXllcl9lcnJvciIsInBvbGljeSI6Imlnbm9yZSJ9XX0sInRjcCI6eyJ0Y3BfZmxhZ3MiOiIwMCIsInRjcF9mbGFnc190cyI6IjAwIiwidGNwX2ZsYWdzX3RjIjoiMDAifSwiaG9zdCI6ImMzLXNlYy1udGEwMi5iaiJ9CnsidGltZXN0YW1wIjoiMjAyNS0wNS0yMlQyMTowNDoxOS44MTgwMjIrMDgwMCIsImZsb3dfaWQiOjExMDgxNzc5Mjc1NTA4ODMsImluX2lmYWNlIjoiMDAwMDo1ZTowMC4wIiwiZXZlbnRfdHlwZSI6ImZsb3ciLCJ2bGFuIjpbMzE2XSwic3JjX2lwIjoiMTAuMTU4LjI0My4zNCIsInNyY19wb3J0Ijo1MTIxMiwidG9hX3NyY19pcCI6IjAuMC4wLjAiLCJ0b2Ffc3JjX3BvcnQiOjAsImRlc3RfaXAiOiIxMjMuMTgzLjIzMi45IiwiZGVzdF9wb3J0Ijo0NDMsImRpcl9jaGVjayI6MiwicHJvdG8iOiJUQ1AiLCJhcHBfcHJvdG8iOiJmYWlsZWQiLCJhcHBfcHJvdG9fdA==","error":"invalid character ':' looking for beginning of value","level":"error","msg":"handle message unmarshal flow Log failed","time":"2025-05-22T21:04:19+08:00"}
Note that the endpoint receiving the data is responsible for handling the stream. The data in the b64-encoded blob has items from a Suricata alert and also items that are from a different source.
This data is a flow log, because print(byte) in Go language is encoded in base64 by default.
Suricata flow logs (event type flow) do not have fields prefixed with toa. Is the go-recipient of the Suricata flow record rewriting field names (or adding them)?
Yes, we customlized some code to parse ToA address field into flow log because some traffic forward by lvs
I’d like to see the original Suricata items that are showing the issue. Is that possible?