Project

General

Profile

Actions
Copy link

Bug #2919

closed

nested config files seems to trigger decoder output stats error (SC_WARN_DEFAULT_WILL_CHANGE) even when enabled

Added by Peter Manev about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

[2573] 3/4/2019 -- 23:53:55 - (suricata.c:1058) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev 69d0d484e)
[2573] 3/4/2019 -- 23:53:55 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2
[2573] 3/4/2019 -- 23:53:55 - (counters.c:264) <Warning> (StatsInitCtxPreOutput) -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
[2573] 3/4/2019 -- 23:53:55 - (util-logopenfile.c:478) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
[2573] 3/4/2019 -- 23:53:55 - (output-json-email-common.c:455) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
[2573] 3/4/2019 -- 23:53:55 - (output-json-email-common.c:459) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
[2573] 3/4/2019 -- 23:53:55 - (output-json-dnp3.c:392) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[2573] 3/4/2019 -- 23:53:55 - (output-json-dnp3.c:392) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
[2573] 3/4/2019 -- 23:53:55 - (output-json-stats.c:468) <Warning> (OutputStatsLogInitSub) -- [ERRCODE: SC_WARN_EVE_MISSING_EVENTS(318)] - eve.stats will not display all decoder events correctly. See #2225. Set a prefix in stats.decoder-events-prefix. In 5.0 the prefix will default to 'decoder.event'.

tail /etc/suricata/suricata.yaml 

##
## Include other configs
##

# Includes.  Files included here will be handled as if they were
# inlined in this configuration file.
#include: include1.yaml
#include: include2.yaml
include: /etc/suricata/addin.yaml

Inside the second/nested config "/etc/suricata/addin.yaml" I have set up the outputs for decoder events - 

/usr/bin/suricata -c /etc/suricata/suricata.yaml --dump-config |grep decoder-events
outputs.10.stats.decoder-events = true
outputs.10.stats.decoder-events-prefix = decoder.event

but it still throws out the err/warning.
If I do the change in the main yaml config - i do not get the err/warning anymore.

Actions
Copy link
 #1

Updated by Victor Julien about 5 years ago

This looks like it works as it should. The stats.decoder-events-prefix = decoder.event should be that, not in the 'outputs.NN' list.

As you can see in the default config this is not part of the 'outputs':

# global stats configuration
stats:
  enabled: yes
  # The interval field (in seconds) controls at what interval
  # the loggers are invoked.
  interval: 8
  # Add decode events as stats.
  #decoder-events: true
  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
  # to missing events in the eve.stats records. See issue #2225.
  decoder-events-prefix: "decoder.event" 
  # Add stream events as stats.
  #stream-events: false

Actions
Copy link
 #2

Updated by Peter Manev about 5 years ago

  • Status changed from New to Closed

Understood - i missed that part it seems.
Closing as it is working as expected then.

Actions
Copy link

Also available in: Atom PDF