NSM output nothing

w2n1ck · April 15, 2021, 2:21am

I want suricata to record about NSM log。my yaml:

outputs:
  - fast:
  enabled: yes
  filename: fast.log
  append: yes
  #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: eve.json
  pcap-file: false
  community-id: false
  community-id-seed: 0
  ethernet: yes
  types:
    - alert:
        payload: yes
        payload-buffer-size: 8kb
        payload-printable: yes
        # http-body: yes
        http-body-printable: yes
        tagged-packets: yes
        metadata:
          app-layer: true
          flow: false
          rule:
            metadata: true
            raw: true
        xff:
          enabled: yes
          mode: extra-data
          deployment: forward
          header: X-Forwarded-For
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: dns.json
  types:
    - dns:
        version: 2
        enabled: yes
        requests: yes
        responses: no
        # Format of answer logging:
        # - detailed: array item per answer
        # - grouped: answers aggregated by type
        # Default: all
        #formats: [detailed, grouped]
        #answer-types: [a, aaaa, cname, mx, ns, ptr, txt]
        answer-types: [a, aaaa, cname, ns]
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: http.json
  types:
    - http:
        extended: yes
        # custom: [accept, accept-charset, accept-encoding, accept-language,
        # accept-datetime, authorization, cookie, from, proxy-authorization,
        # content-length, content-type, location, proxy-authenticate, referer, 
        # set-cookie, x-authenticated-user]
        dump-all-headers: both
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: tls.json
  types:
    - tls:
        extended: yes
        #session-resumption: no
        #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: file.json
  types:
    - files:
        force-magic: yes
        force-hash: [md5]
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: ftp.json
  types:
    - ftp
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: smb.json
  types:
    - smb
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: ssh.json
  types:
    - ssh
  - eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  filename: rdp.json
  types:
    - rdp

but，the ouput file is nothing！

please help me! very thx!

w2n1ck · April 15, 2021, 6:20am

This is Suricata version 6.0.2 RELEAS

w2n1ck · April 15, 2021, 7:45am

I cant say nothing! use kill -USR2 $PID no work，it need kill -9 suricat PID, then start again.

ish · April 15, 2021, 9:12pm

Please first validate the indentation of your suricata.yaml to make sure its like the format in the default suricata.yaml. Your indentation is off in the provided example which is likely to cause issues.

Topic		Replies	Views
Suricata generate log files instead of Json Help suricata	1	270	November 22, 2023
Rules and log files	1	1030	November 28, 2023
Suricata, HTTP request/response data is not outputting to eve-log, is there any way? Help community , suricata	3	75	August 13, 2024
>Fast.log file is not collecting properly tried almost everything.. Suricata doesnt work Help suricata	2	441	February 28, 2024
Fast.log not being written to Help suricata	13	97	September 9, 2024

NSM output nothing

Related topics