Suricata does not generate the fast.log file

Hello Guys, I’m doing an integration of the meerkat with Mikrotik, I’m already sending the packages to the meerkat, it’s working apparently, if I do a test simulating an attack the error appears in EVEBOX, but the fast.log file is not generated, if I look at the eve.log file, everything is generating the access logs. I use a script for a virtual interface using pcap, can someone help me to generate this log file?

The default configuration will generate a fast.log as its enabled by default. However, only alerts will go to fast.log, while eve.json will get a lot more than just alerts.

Are you seeing event types of “alert” in eve.json, but not seeing a corresponding alert in the fast.log?

So, I’ll show you how I did it.
I installed SELKS.ISO, whoever comes with Suricata, ElasticSearch etc …
Okay and I created a virtual interface called eth10, and gave an ip that is not part of my network.
If I enter EVEBOX, and try to generate some HTTP failure for example, it appears there the normal ERROR, IP, TIME, etc …
But it doesn’t generate the fast.log file

I ran a github script where it uses this, tzsp2pcap
I don’t know if it influences anything.

I just generated an error, and looking at json, there is only the eve.json path, no fast.log

I’m not sure what SELKS sets up for the default configuration, but to get a fast log you’ll need something like this in your outputs section of the suricata.yaml:

# Configure the type of alert (and other) logging you would like.
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes

Yes, I just confirmed, this one, I’m going to do a clean installation to see if it generates the file.

fast.log and eve.log are active