I’ve got a weird problem regarding suricata versions after 5. I’ve installed from source with full install, no magic.
Suricata just runs fine, but after a week running it doesn’t produce any alerts, only restarting of the process helps. No related entries/errors in the suricata logs, suricata seems running well based on the related process info. No extraordinary load, everything seems fine but alerts aren’t generating. Suricata-update runs daily with no errors.
OS: Debian 10 64bit. Running mode: af-packet 1 interface.
What do you suggest?
It sounds like it starts off logging correctly then eventually the logging stops? Look into any file rotation that may be going on. If the log file is moved as part of rotation, Suricata will need to be told that the files have been moved so it can re-open them:
It could be other things as well I suppose, but this is where I first usually look when Suricata is running, but not logs have been produced in a while.
Thanks for the suggestions!
To be honest there is no logrotation cofigured on the suricata log folder, but I’ve acitivated the fast.log output also and see whats going on, otherwise I’m using the prelude output only.
I’ve made some testing with surcatasc before restart the process and the packet counter growing, the rule/interface status was also ok, so I assume the suricata process was not frozen, just “forgot” to generate alerts somehow…
Anyway I’ll keep the thread updated when I got news.
suricatasc, do you observe the alert rate changing?
Is it possible to check the alert rate via suricatasc?
suricatasc allows you to view the current statistics, including the cumulative number of alerts. You’d have to use multiple calls to generate an alert rate.
suricatasc -c dump-counters and look at the value for
All right, thanks! Then I have to enable stats logging also without it suricatasc -c dump-counters give an error that stats should be enabled.