Actions
Bug #1531
closedmultitenancy - confusing tenant id and vlan id output
Affected Versions:
Effort:
Difficulty:
Label:
Description
Using Suricata version 2.1dev (rev 834c366)
With the following set up below -
multi-detect:
enabled: yes
#selector: direct # direct or vlan
selector: vlan
loaders: 1
tenants:
- tenant:
id: 1
yaml: /etc/suricata/peter-yaml/tenant-47.yaml
# - tenant:
# id: 2
# yaml: /etc/suricata/tenant-2.yaml
mappings:
- vlan:
vlan-id: 47
tenant-id: 1
# - vlan:
# vlan-id: 4092
# tenant-id: 2
I get that info in suricata.log (using verbose output):
... [30617] 18/8/2015 -- 21:32:42 - (detect-engine-loader.c:128) <Info> (DetectLoadersInit) -- using 1 detect loader threads [30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:1917) <Info> (DetectEngineMultiTenantSetup) -- selector vlan [30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:1931) <Info> (DetectEngineMultiTenantSetup) -- multi-detect is enabled (multi tenancy). Selector: vlan [30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:1947) <Info> (DetectEngineMultiTenantSetup) -- vlan 1 47 [30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:2106) <Info> (DetectEngineTentantRegisterSelector) -- tenant handler 2 1 47 registered [30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:2007) <Info> (DetectEngineMultiTenantSetup) -- tenant id: 1, /etc/suricata/peter-yaml/tenant-47.yaml [30618] 18/8/2015 -- 21:32:42 - (detect-engine.c:1810) <Info> (DetectLoaderFuncLoadTenant) -- loader 0 ...
The "vlan 1 47" is a bit misleading and can lead to some issues when parsing the suricata.log or suricata.json log files.
Actions