Project

General

Profile

Actions

Bug #1531

closed

multitenancy - confusing tenant id and vlan id output

Added by Peter Manev over 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using Suricata version 2.1dev (rev 834c366)
With the following set up below -

multi-detect:
  enabled: yes
  #selector: direct # direct or vlan
  selector: vlan
  loaders: 1

  tenants:
  - tenant:
    id: 1
    yaml: /etc/suricata/peter-yaml/tenant-47.yaml
#  - tenant:
#    id: 2
#    yaml: /etc/suricata/tenant-2.yaml

  mappings:
  - vlan:
    vlan-id: 47
    tenant-id: 1
#  - vlan:
#    vlan-id: 4092
#    tenant-id: 2

I get that info in suricata.log (using verbose output):

...
[30617] 18/8/2015 -- 21:32:42 - (detect-engine-loader.c:128) <Info> (DetectLoadersInit) -- using 1 detect loader threads
[30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:1917) <Info> (DetectEngineMultiTenantSetup) -- selector vlan
[30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:1931) <Info> (DetectEngineMultiTenantSetup) -- multi-detect is enabled (multi tenancy). Selector: vlan
[30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:1947) <Info> (DetectEngineMultiTenantSetup) -- vlan 1 47
[30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:2106) <Info> (DetectEngineTentantRegisterSelector) -- tenant handler 2 1 47 registered
[30617] 18/8/2015 -- 21:32:42 - (detect-engine.c:2007) <Info> (DetectEngineMultiTenantSetup) -- tenant id: 1, /etc/suricata/peter-yaml/tenant-47.yaml
[30618] 18/8/2015 -- 21:32:42 - (detect-engine.c:1810) <Info> (DetectLoaderFuncLoadTenant) -- loader 0
...

The "vlan 1 47" is a bit misleading and can lead to some issues when parsing the suricata.log or suricata.json log files.

Actions

Also available in: Atom PDF