I’m testing SELKS 10 which includes a dockerised version of Suricata (8.0.0-dev).
I managed to enable fast.log. The file has been immediately created in the log directory.
The problem: I trigger alerts that can be seen in eve.json but nothing is writted in fast.log. Permissions and owner of fast.log are the same than eve.json (owner & group id 994, can write). On the other hand, I can see eve.json to be updated almost in real time.
In fact, the fast.log file is updated only when I reboot the machine where resides SELKS.
Is this the expected behavior or a bug? May I overlooked a setting somewhere?
Looks like I found by myself. The problematic parameter is buffer-size. It has to be set to 0 in the corresponding section of suricata.yaml (in the SELKS case, I use selks6-addin.yaml which overrides the suricata.yaml settings).
And, as I’m there, I post what I wanted to achieve. A simple thing, but I found nowhere how to do this. I don’t even understand why it’s not a functionality of Suricata or, at least, SELKS. It’s just to be mailed from time to time about the new alerts detected by Suricata.
You have just to put this script in a cron job, like a daily one.
#! /bin/sh
LOGF=/opt/selksd/SELKS/docker/containers-data/suricata/logs/fast.log
PREV=".prev"
MAILTO="your mail"
SUBJECT="Alert(s) from Suricata"
PREAMBULE="Suricata has detected the following alerts:\n\n"
if [ -e "$LOGF" ]; then
if [ -e "$LOGF$PREV" ]; then
NEWS="$(diff -n "$LOGF$PREV" "$LOGF" | tail -n +2)"
else
NEWS="$(cat "$LOGF")"
fi
if [ -n "$NEWS" ]; then
echo "$PREAMBULE$NEWS" | mail -s "$SUBJECT" $MAILTO && cp "$LOGF" "$LOGF$PREV"
fi
fi