Hi @gent79reid!
Are you not seeing any flow events at all? Could you please check the “flow” setting under “outputs -> eve-log -> types” in your suricata.yaml if flow is listed just to be sure? It should have:
outputs:
- eve-log:
enabled: yes
# other things
types:
- flow
Yes, I can see other flows and “-flow” option is enabled in my config. What I want to get is to display the current active(new, established) flows and their app_proto, then I can put them in a time chart to present the trend of the application activity in my network. Any suggestion of how to do it ? very appreciate !
I also tried to search the flow_id from event ssh in event flow, got nothing matched.
How often suricata generates a flow event ? possible to adjust the interval ?
Suricata only logs a flow when it considers the flow finished or timed out. There has been some discussion about making it dump flows on some interval, but we haven’t decided is it is worth the effort for us.
Do you any suggestions to collect active flows in current version ?
Other question : While my http download session is still active, the flow event indicates it’s “shutdown”. Any doc to explain the details of how does suricata figure out of the reason of “close”, “forced” and “shutdown” ?
