Bug #1246
closedEVE output Unix domain socket not working
Description
In order to feed an elasticsearch with logstash without an intermediate disk file I am trying to export EVE to an Unix domain socket.
Unfortunately this is not working in suricata 2.0.2 release even with this decanio's patch
Tests made¶
| Test | Result |
|---|---|
| 1. fast output as Unix domain stream socket | ok |
| 2. fast output as Unix domain datagram socket | ok |
| 3. EVE output as Unix domain stream socket | not ok |
| 4. EVE output as Unix domain datagram socket | not ok |
Tests methods¶
Receiver is netcat-openbsd for Unix domain stream socket or socat for Unix domain datagram socket.
Sender is suricata --pfring and relevant configuration is detailled.
EVE output is fully functionnal to a flat file.
1. receiver: nc -vlkU /srv/suricata/suri_fast.sock
1. sender:
outputs:
- fast:
enabled: yes
filename: suri_fast.sock
filetype: unix_dgram
2. receiver: socat UNIX-RECVFROM:/srv/suricata/suri_fast.sock,fork STDOUT
2. sender:
outputs:
- fast:
enabled: yes
filename: suri_fast.sock
filetype: unix_stream
3. receiver: nc -vlkU /srv/suricata/suri_eve.sock
3. sender:
outputs:
- eve-log:
enabled: yes
type: unix_stream
filename: suri_eve.sock
4. receiver: socat UNIX-RECVFROM:/srv/suricata/suri_eve.sock,fork STDOUT
4. sender:
outputs:
- eve-log:
enabled: yes
type: unix_dgram
filename: suri_eve.sock
Environment¶
suricata-2.0.2 release with and without decanio's patch (two build tried).
configure line:
dh_auto_configure -- LDFLAGS='-L/home/package/PF_RING.svn/userland/libpcap-1.1.1-ring/' LIBS='-lnuma' --enable-pfring --with-libpfring-libraries=/home/package/PF_RING.svn/userland/lib --with-libpfring-includes=/home/package/PF_RING.svn/userland/lib --with-libpcap-libraries=/home/package/PF_RING.svn/userland/libpcap-1.1.1-ring --with-libpcap-includes=/home/package/PF_RING.svn/userland/libpcap-1.1.1-ring --enable-luajit --with-libluajit-includes=/home/package/libluajit-2.0.3/src --with-libluajit-libraries=/home/package/libluajit-2.0.3/debian/libluajit/usr/local/lib
configure output:
Suricata Configuration: AF_PACKET support: yes PF_RING support: yes NFQueue support: no NFLOG support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: no PCRE jit: yes LUA support: yes libluajit: yes libgeoip: no Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Coccinelle / spatch: no Generic build parameters: Installation prefix (--prefix): /usr Configuration directory (--sysconfdir): /etc/suricata/ Log directory (--localstatedir) : /var/log/suricata/ Host: x86_64-pc-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no
Updated by les syv over 9 years ago
This PR on github fixed it.
I am testing it since two days and it works like a charm without an intermediate regular file.
Updated by Victor Julien over 9 years ago
- Status changed from New to Closed
- Assignee set to Victor Julien
- Target version set to 2.0.5
- % Done changed from 0 to 100
Fixed by https://github.com/inliniac/suricata/pull/1063, thanks!