Hello,
Suricata 7.0.15 is writing its output to json files (± 100 files). Logstash and now Vector parses this data to a Vector pod in Kubernetes which maps the data into Opensearch. All is working well, but when installing suricata v8 (01 or 04, no difference) the opensearch input drops by a factor 10. I’m not able yet to pinpoint the problem, but I guess it is a json to opensearch index field mapping issue.
Any ideas on that regarding what did possibly change in 8?
Thanks in advance,
Andre
Using the same config file? Or a fresh install with a fresh config file? If the latter, maybe you had payload logging enabled in 7 and its not in 8? (See suricata/suricata.yaml.in at main · OISF/suricata · GitHub ).
Still shouldn’t be responsible for that much drop, as most events are non-alert type.
Any warnings on startup?
Using a fresh new file with settings copied from suri7 as far as possible and some new options in use. Main culprit was I forgot to modify some memcap settings, now it is producing as much events as suri7 did so problem solved, thanks for your time and suggestions!
One site note: suricata -T /etc/suricata/suricata.yaml did not pick up a mistyped dot in the dpdk: config section. It passed the test, but when starting suricata 8 I did stop with this error:
suricata[3637719]: Error: conf-yaml-loader: Failed to parse configuration file at line 862: did not find expected key . Line 862 looked like this:
. # comment
^ spot the dot