Project

General

Profile

Actions

Bug #6915

open

How to write the filepath to the alert log when using default mode with pcap-log?

Added by Roaming White 8 months ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello Teams,When I set the mode to default mode in the pcap-log of suricata, my alert log will not record the capture_file, how should I tweak the configuration to bring out the capture_file in the alert log?

  - pcap-log:
      enabled: yes
      filename: log-%n-%t.pcap

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      limit: 4mb

      # If set to a value, ring buffer mode is enabled. Will keep maximum of
      # "max-files" of size "limit" 
      max-files: 2500

      # Compression algorithm for pcap files. Possible values: none, lz4.
      # Enabling compression is incompatible with the sguil mode. Note also
      # that on Windows, enabling compression will *increase* disk I/O.
      compression: none

      # Further options for lz4 compression. The compression level can be set
      # to a value between 0 and 16, where higher values result in higher
      # compression.
      #lz4-checksum: no
      #lz4-level: 0

      mode: normal # normal, multi or sguil.

      # Directory to place pcap files. If not provided the default log
      # directory will be used. Required for "sguil" mode.
      dir: /var/log/suricata/

      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
      conditional: alerts
Actions

Also available in: Atom PDF