Hello Guys, I’m doing an integration of the meerkat with Mikrotik, I’m already sending the packages to the meerkat, it’s working apparently, if I do a test simulating an attack the error appears in EVEBOX, but the fast.log file is not generated, if I look at the eve.log file, everything is generating the access logs. I use a script for a virtual interface using pcap, can someone help me to generate this log file?
The default configuration will generate a fast.log as its enabled by default. However, only alerts will go to fast.log, while eve.json will get a lot more than just alerts.
Are you seeing event types of “alert” in eve.json, but not seeing a corresponding alert in the fast.log?
So, I’ll show you how I did it.
I installed SELKS.ISO, whoever comes with Suricata, ElasticSearch etc …
Okay and I created a virtual interface called eth10, and gave an ip that is not part of my network.
If I enter EVEBOX, and try to generate some HTTP failure for example, it appears there the normal ERROR, IP, TIME, etc …
But it doesn’t generate the fast.log file
I ran a github script where it uses this, tzsp2pcap
I don’t know if it influences anything.
I just generated an error, and looking at json, there is only the eve.json path, no fast.log
I’m not sure what SELKS sets up for the default configuration, but to get a fast log you’ll need something like this in your outputs section of the suricata.yaml:
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
Yes, I just confirmed, this one, I’m going to do a clean installation to see if it generates the file.
fast.log and eve.log are active