What is different between suricata workers and autofp on eve.log

gary · August 2, 2021, 1:21pm

what is different between suricata workers and autofp on eve.log?

Jeff_Lucovsky · August 3, 2021, 12:04pm

Hi Gary,

workers and autofp are “runmodes”. See 9.1. Runmodes — Suricata 6.0.3 documentation for documentation.

Essentially, they control how Suricata manages the packet flow – autofp uses a single thread to capture packets – this thread distributes packets to one or more worker threads (note: there can be multiple capture threads). workers differs in that an individual worker thread handles packet capture, processing. When there is one worker thread configured, that runmode is single

gary · August 6, 2021, 7:01am

Hello Jeff，
When I used autofp,the output logs in eve.json are connect, such as the http-head and body contain in one record, but in workers runmodes, http-head and http-body were recorded with two logs. I want to know why. Thank you!

Jeff_Lucovsky · August 6, 2021, 11:17am

Hi Gary,
By recorded with two logs – this means two log entries within eve.json?

Can you post a snippet with the appropriate masking of any private information?

Topic		Replies	Views
Pfring workers mode Help centos	3	440	August 29, 2021
Rules and log files	1	275	November 28, 2023
Performance of Lua-Output in high-alert throughput Developers rules , suricata , lua	4	599	February 2, 2023
Stats.log file question Help	2	639	March 4, 2021
Suricata Sending Request & Response Bodies in multiple events due to alert rule Rules rules , suricata	2	113	March 7, 2024

What is different between suricata workers and autofp on eve.log

Related Topics