Actions
Bug #6915
openHow to write the filepath to the alert log when using default mode with pcap-log?
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hello Teams,When I set the mode to default mode in the pcap-log of suricata, my alert log will not record the capture_file, how should I tweak the configuration to bring out the capture_file in the alert log?
- pcap-log:
enabled: yes
filename: log-%n-%t.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 4mb
# If set to a value, ring buffer mode is enabled. Will keep maximum of
# "max-files" of size "limit"
max-files: 2500
# Compression algorithm for pcap files. Possible values: none, lz4.
# Enabling compression is incompatible with the sguil mode. Note also
# that on Windows, enabling compression will *increase* disk I/O.
compression: none
# Further options for lz4 compression. The compression level can be set
# to a value between 0 and 16, where higher values result in higher
# compression.
#lz4-checksum: no
#lz4-level: 0
mode: normal # normal, multi or sguil.
# Directory to place pcap files. If not provided the default log
# directory will be used. Required for "sguil" mode.
dir: /var/log/suricata/
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
conditional: alerts
Updated by Philippe Antoine 4 months ago
- Tracker changed from Support to Bug
- Status changed from New to Feedback
- Target version set to TBD
For support questions, forum.suricata.io is now the better place.
For your question, do you expect a `capture_file` field in your eve.json alert events ?
I think capture_file
is meant when you read multiple pcaps (see pcap-file
in suricata.yaml eve output), not when you are recording live traffic into pcaps
Would you be able to create a suricata-verify test with what you expect ?
Actions