Hi,
Im currently having some problems in the eve.json output configuration…I want to enable the Redis output of SURICATA Json outputs to Redis and stores it in MySQL through other plug-ins. But it seems that I can’t enable the Redis output option now. What configurations should I modify for suredata.yaml? I did this before:
First, modify the filetype in suredata.yaml to Redis
Remove the comments on the Redis configuration
Is the configuration complete?
To enable redis, set the filetype on line 88 to redis.
The default values for redis connectivity are in lines 100-115. If they don’t match the redis deployment you’re using, uncomment line 100 and update the values of the config variables with your deployment variables.
yeah,i got it.Sincerely appreciate for your help~
hi jeff,I have a question: Is Redis output configured like this in Windows? I follow your previous instructions. I can store the output in Redis under Linux, but I encountered the following problems with the same configuration under the Windows operating system:
C:\WINDOWS\system32>suricata -c D:/software/suricata/suricata.yaml -i 192.168.0.3 -l D:/software/suricata/log
4/1/2023 – 13:06:36 - - Running as service: no
4/1/2023 – 13:06:36 - - translated 192.168.0.3 to pcap device \Device\NPF_{2BD67D84-EEE0-4354-9738-086F21AC3E34}
4/1/2023 – 13:06:36 - - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode
4/1/2023 – 13:06:36 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol ikev2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
4/1/2023 – 13:06:36 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module “fast”: setup failed
4/1/2023 – 13:06:36 - - [ERRCODE: SC_ERR_FATAL(171)] - redis JSON output option is not compiled
What is the problem? Could you give me some advice?
Redis must be configured into Suricata, e.g., ./configure --enable-hiredis and the Redis package must be installed.
Use suricata --build-info to display configured features; for redis, look for hiredis support.
Thank you for your prompt reply.yeah,In SURICATA under my current Windows system, use the command SURICATA – build info to find that my HIREDIS support is not enabled.:
What do you mean by “Redis must be configured into Suricata, e.g.,./configure – enable heirdis”?Do I need to recompile SURICATA? Could you expand it in more detail? I don’t quite understand.It seems that I have installed and configured the Redis service before…
How did you install Suricata?
If you manually built it, then the configuration step should be altered to include --enable-redis
In the Windows operating system, I install through the". msi" file. In this process, I only need to select the installation path. It seems that there is no configuration step. What you mean is that in the Windows system, I need to manually compile SURICATA through the source code?
Yes.
@pevma covered the manual steps in a forum post. You’ll want to add --enable-redis to the step that uses configure
You’ll also have to install the dependencies listed in the forum post and redis.
Here’s the forum post: Eve.json windows timestamp field has "Eastern Daylight Time" appended to timestamp - #20 by pevma
