Project

General

Profile

Actions

Bug #4471

closed

Duplicate alert record in eve log when using unix-socket mode

Added by Jeff Lucovsky over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When using unix-socket mode I see two things:
1. first alert record in eve log is produces twice,
2. unexpected write into the default-log-dir takes place.

Configuration files and pcap file are placed in the attachment (taken from https://github.com/OISF/suricata-verify/tree/master/tests/alert-testmyids).

My research ended up with the following:
1. Two instances of `OutputPacketLogger` are inserted into global index because of `RunModeInitializeOutputs()` is called twice in unix-socket mode.
2. Such a behavior was introduced with the commit https://github.com/OISF/suricata/commit/ea15282f47c6ff781533e3a063f9c903dd6f1afb.
3. There is a corresponding bug in the issues tracker (https://redmine.openinfosecfoundation.org/issues/4225).


Files

scenario.zip (3.25 KB) scenario.zip Sergei Koniukhov, 04/19/2021 11:26 AM

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #4434: Duplicate alert record in eve log when using unix-socket modeClosedJason IshActions
Actions #1

Updated by Jeff Lucovsky over 3 years ago

  • Copied from Bug #4434: Duplicate alert record in eve log when using unix-socket mode added
Actions #2

Updated by Shivani Bhardwaj over 3 years ago

  • Status changed from Assigned to In Progress
Actions #3

Updated by Shivani Bhardwaj over 3 years ago

  • Status changed from In Progress to Closed
Actions

Also available in: Atom PDF