Hi Darren, it looks like there are 2 different issues here:
-
if you want to have both unix socket output and regular file output, you need to duplicate the entire
eve-logconfig block and set unix socket in one andregularin the other one. -
suricata doesn’t create the unix socket, but instead if connects to an existing one.
simple test:
nc -U -l /tmp/mysocket
yaml
- eve-log:
enabled: yes
filetype: unix_stream #regular #regular|syslog|unix_dgram|unix_stream|redis
filename: /tmp/mysocket
Now run Suricata and you should see eve records on the console of your nc command.