Lost events writing to unix socket
when using the pcap offline analysis and configured Suricata for writing eve-log events to a unix stream socket some events can be lost.
Find attached a pcap with a lot of DNS events (malware generated), first I wrote in Python a UNIX stream socket server for reading the eve log events and surprisingly some events were lost because Suricata was lot quicker writing to the socket than my code reading from it so using the "send()" primitive returned an EAGAIN error.
After that, instead of coding a C UNIX server I used the socat utility and unfortunately the same behaviour was observed.
IMHO a minimal wait would be sufficient when using a UNIX socket for eve log events.
Tested on GitHub master branch with latest commit https://github.com/inliniac/suricata/commit/499afaba4bc4624afa9e7d7e7648f9070ea5d37d
I'm going to send a PR to the GitHub repository with a new eve log option named 'unix-retry-wait' where you can set the microseconds for waiting before retry a write on a UNIX stream socket with the write queue full