Rules and log files

1

Hi,
i’m still quite new to Suricata. I installed it and realized that my log files grew very rapidly.
I looked into the log files (fast.log and eve.json) and i have to admit … it’s not as easy as i expected to understand the output. I read a lot in the doc but it’s not everything clear to me.
Some questions:
Is it necessary to have fast.log AND eve.json ? For me fast.log seems to be an excerpt from eve.json.
Can i use the time stamp to corrolate between these two ? If yes, why do the both have a different format ? Is it possible that they have the same format ?
Let’s take this entry:
{"timestamp":"2023-11-28T08:44:47.721263+0000","flow_id":791733363913911,"in_iface":"enp8s0","event_type":"alert","src_ip":"10.201.25.253","src_port":38925,"dest_ip":"146.107.1.10","dest_port":9152,"proto":"TCP","pkt_src":"wire/pcap","metadata":{"**flowbits":["ET.HB.Request.CI","tcp.retransmission.alerted","ET.MalformedTLSHB"]**,"**flowints":{"tcp.retransmission.count":24930697**}},"alert":{"action":"allowed","gid":1,"signature_id":2210020,"rev":2,"signature":"SURICATA STREAM ESTABLISHED packet out of window","category":"Generic Protocol Command Decode","severity":3},"app_proto":"failed","direction":"to_server","flow":{"pkts_toserver":328806602,"pkts_toclient":143312514,"bytes_toserver":458709326840,"bytes_toclient":9460624516,"start":"2023-11-27T21:12:42.839699+0000","src_ip":"10.201.25.253","dest_ip":"146.107.1.10","src_port":38925,"dest_port":9152}}
flowbits: “ET.HB.Request.CI”,“tcp.retransmission.alerted”,“ET.MalformedTLSHB”. What does that mean?
flowints: tcp.retransmission.count":24930697. Does that mean that one packet has been retransmitted 24930697 times ? Or that there are 24930697 retransmissions ?
Thanks.
Bernd

2

Suggest disabling the fast.log unless you have infrastructure to process it. The eve.json file is a superset containing alerts and other logging from Suricata (e.g., dns, flow, http, records).

The format of fast.log precludes timestamps from being the same. You can disable fast.log in the outputs section of the Suricata configuration file (suricata.yaml).