Hi, thank you for working on this project.
Will suricata maintain separate flow states between VLANs? I’d like to use the multi-tenancy model and have a separate eve.json for each VLAN.
Thanks
If vlan:use-for-tracking is set to true (default) then the flows are tracked separately. The multi-tenancy currently only affects detection settings though, so steering logs to separate files based on tenant (or vlan id) is currently not supported.
Related work https://github.com/OISF/suricata/pull/4941
Ok, got it. Thanks - I’ll watch that PR.
On a side note - I was playing around with multi-tenancy and the pcap-file-continuous command using the unix socket. I was hoping I could run multiple pcap-file-continuous for a separate directory per tenant in parallel. This would give me separate logs per tenant and I would be able to separate the flow state based on directory.
It looks like the polling of the directory does not run in its own thread though (or something like that) so it didn’t work. When I sent an interrupt to suricata it would stop the first pcap-file-continuous command and start the next one (right before shutting down entirely).
Is this expected behavior and is there any issue open that may fix this? I couldn’t find anything.
Thank you