Fast.log not being written to

nostromo · August 29, 2024, 6:24pm

Version: Suricata 7.0.6
OS: AlmaLinux 8.9
Installation: rpm install

No alerts are being written to fast.log despite it being enabled. I followed the quickstart alerting but nothing gets logged. Appreciate any help/suggestions.

ish · August 29, 2024, 6:38pm

What about the /var/log/suricata/eve.json file? Could be that no alert triggering traffic is occurring, but you could still be getting metadata (other event type).

nostromo · August 29, 2024, 6:49pm

eve.json logs the event. I can attach the relevant entries in eve.json if that helps; have to sanitize it first.

Jeff_Lucovsky · August 30, 2024, 12:39pm

If you’re getting alert event types in eve.json, there should also be entries in fast.log

Can you post the output from suricata -c /path/to/your/suricata.yaml --dump-config|grep fast

This is what displays on my system when doing that:

outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
engine-analysis.rules-fast-pattern = yes

nostromo · August 30, 2024, 3:01pm

Output as follows:

outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.0.fast.filetype = regular
engine-analysis.rules-fast-pattern = yes

Jeff_Lucovsky · August 31, 2024, 12:49pm

The fast.log and eve.json should be in the same logging directory.

The default logging directory is in the suricata configuration file – look for default-log-dir
This value can be overridden from the command line if -l /path/to/log-dir is added

I suspect a permissions issue … are you launching suricata as root ? Are you using the run-as configuration setting?
Can you post the output of ls -ld /path/to/log-dir?

nostromo · September 3, 2024, 11:26am

Running as root.

default-log-dir: /var/log/suricata/

ls -ld /var/log/suricata
drwxr-x—. 2 root root 4096 Sep 3 06:00 /var/log/suricata
[root@pat-test-01 suricata]$

nostromo · September 3, 2024, 1:18pm

Does curling http://testmynids.org/uid/index.html versus https://testmynids.org/uid/index.html
make a difference in this test?

Jeff_Lucovsky · September 4, 2024, 12:31pm

Are you using this rule (mentioned in the quickstart quite)? If so, yes, the content should be available for inspection (and hence, not encrypted):

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Jeff_Lucovsky · September 4, 2024, 12:36pm

Could you post your suricata.yaml config file (or, dm the file)?

nostromo · September 4, 2024, 3:20pm

verified the rule is the same.

nostromo · September 5, 2024, 7:57pm

I dm the file to you.

nostromo · September 9, 2024, 12:22pm

Upon further inspection of the eve.json log, on a system that takes a lot more traffic, it looks like alerts are not generated.

nostromo · September 9, 2024, 3:26pm

I may have this resolved, in a holding pattern for now, will update when I know more.

Topic		Replies	Views
Suricata does not generate the fast.log file Help	5	2983	October 7, 2020
Rules and log files	1	980	November 28, 2023
Fast.log enabled but not generating logs Help suricata	7	1621	July 11, 2023
>Fast.log file is not collecting properly tried almost everything.. Suricata doesnt work Help suricata	2	420	February 28, 2024
Alert-debug.log not write Help	5	393	November 27, 2021

Fast.log not being written to

Related Topics