I started running suricata with default setup/rules. It collects via a mirror port of my trunk. I am trying to implement multi-tenancy, but have yet to get it working. Looked at the logs, I don’t see anything.
I ran “suricata -T -c /etc/suricata/suricata.yaml” and get errors. One that I don’t understand is “no multi-mappings detected”? But I have setup as the documentation showed.
ATTACHED: screenshot of test output / yaml files
I get an error from the test, about no multi-mappings - but I clearly have set it up?
Are my tenant files correct?
Is there a good troubleshooting guide / tutorial so I can track this down??
I guess you already read 10.4. Multi Tenancy — Suricata 6.0.4 documentation but besides that if I look into your config there are 4 other yaml files. DId you try a reduced config as well? I guess it’s a smaller issue within the suricata.yaml file itself that is not that obvious yet.
I think it is the suricata.yaml configuration file that is wrong. Check the types and global statistics part.
# **Global stats configuration**
stats:
enabled: yes
# The interval field (in seconds) controls the interval at
# which stats are updated in the log.
interval: 8
# Configure the type of alert (and other) logging you would like.
outputs:
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
# Stats.log contains data from various counters of the Suricata engine.
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0. Default: no
Thank you very much… so worked out most of the issues, seems that the first and most annoying was a misplaced space :(. Once that was corrected, the ‘test mode’ was exactly what I needed. Gave me line # and file name to correct.
