Fast.log enabled but not generating logs

My company is trying to initiate using suricata for all her IPS and IDS. i am working on integrating the process into the server. the problem i’m having is logs are not being generated into the “fast.log” file. and won’t be able to send any form of alert. it is enabled in the suricata.yaml config file. and the correct interface and ip address is also listed in the config file. Any help you can give will be well appreciated. Pasted below is a view of my suricata.yaml file output. Thank you so much.

Configure the type of alert (and other) logging you would like.


  • fast:
    enabled: yes
    filename: fast.log
    append: yes


A few preliminary questions:

  • Suricata version
  • Which ruleset(s)
  • What packet acquisition method
  • Operating system
  • Machine type

There could be many things happening

  • There’s no ruleset or the ruleset failed to load (see suricata.log for output)
  • There’s no traffic (see stats.log for non-zero, increasing packet and byte counts)
  • Suricata starts but fails (see suricata.log)
  • The traffic doesn’t trigger any alerts

There can be many

Thank you for this reply.
please give me three minutes to log in and provide you with all these details.

the details are as follows;

  1. This is Suricata version 6.0.13 RELEASE.

  2. alert tcp any any → $HOME_NET 22 (msg:“Inbound SSH traffic detected”; sid:100001; rev:1;)
    alert tcp $HOME_NET any → any 22 (msg:“Outbound SSH traffic detected”; sid:100002; rev:1;)

the variable for $HOME_NET is already configured in suricata.yaml.

3 i used “ping”, “scapy” ,

  1. fedora

  2. I am running suricata inside a container to test a server.

Did you check

  • stats.log to ensure packets are being received by suricata
  • suricata.log to ensure that suricata is starting and loading the rules
  • eve.json to look for log entries related to the traffic?

For the previous container i was working with. the stat.log was not empty but The fast.log and eve.json were both empty.

Please what other suggestion do you have that could help me sort this out.

Can you supply your suricata.yaml configuration file and stats.log?