- Suricata 7.0.0 Release
- CentOS
- Source Install
Hi , Suricata Team:
I’m looking for help with a scenario where I’m linking two components, Suricata and Arkime, and the way it works is that the Suricata Pcap-log module generates alarms in a fixed directory using conditional: alerts, and then uses Arkime’s Arkime’s capture tool is then used to monitor and capture new Pcap files in real-time and write them to Arkime’s platform; this way, the contents of the Pcap files can be read quickly;
The current problem is: because Arkime Capture works by monitoring the files that are not being written in the directory before they can be written to the platform, but because the Pcap generated by Suricata has been occupied by the process, it can not be released quickly; it often takes a long period of time (maybe 1 day) before it can be written to Arkime at that time;
What kind of configurations are available to enable the generated Pcap file to be terminated quickly to continue writing? (Because I’ve got what I want already)