Suricata Intrusion Detection: Part Five


Logs management in Suricata.

In the previous articles on Suricata, we covered basic installation and configuration of this intrusion detection system, including deciding which rules to download and use, and setting up an interface, in this article, we take a look at log management.

Log Management in Suricata

The top level of tabs has 11 different tabs; click “Logs Mgmt” tab (in the current version of Suricata, it is the 9th tab). Under “General Settings”, there are two options. The first is the “Remove Suricata Log Files During Package Uninstall” check box, which will cause the Suricata log files to be removed when the package is unstalled. The “Auto Log Management” check box enables automatic unattended management of the Suricata logs using parameters set in the rest of the page.

The next section is “Log Directory Size Limit”. The radio buttons in this section allow you to enable or disable the directory size limit. Enabling a limit imposes a hard limit on the combined log directory size of all Suricata interfaces. When the size limit is reached, rotated logs for all interfaces will be removed, and any active logs will be pruned to zero length. The edit box in this section allows you to set the log directory size; the default value is 20% of available space.

The next section is “Log Size and Retention Limits”. Here, you can configure different size and retention limits for different logs. These options will only be enabled if you checked the “Auto Log Management” check box. Logs which can be configured here are: alerts (Suricata alerts and event details), block (Suricata blocked IPs and event details), dns (DNS request and reply details), eve-json (JavaScript Object Notation data), files-json (captured HTTP events and session information), sid_changes (log of security ID [SID] changes made by SID Management config files), stats (Suricata performance stats), and tls (SMTP TLS handshake details). Settings will be ignored for any log in this list not enabled on the Interface Settings tab. When a log reaches the maximum size limit, it will be rotated and tagged with a time stamp.

The next setting is the “Unified2 Log Limit”, which sets the maximum size for a unified2 log file before it is rotated and a new one created. Below that is the “Unified2 Archived Log Retention Period”. Here you can choose the retention period for the archived Barnyard2 binary log files. When Barnyard2 output is enabled, Suricata writes event data in binary format that Barnyard2 reads and processes. When finished processing a file, Barnyard2 moves it to an archive folder. The setting determines how long files remain in the archive folder before they are automatically deleted. Finally, there’s the “Captured Files Retention Period” dropdown box. Here you can choose the retention period for captured files. When file capture and storage is enabled, Suricata captures downloaded files from HTTP sessions and stores them, along with metadata, for later analysis. This setting determines how long files remain in the File Store folder before they are automatically deleted. Press the “Save” button at the bottom of the page to save settings.

External Links:

The official Suricata web site

© 2013 David Zientara. All rights reserved. Privacy Policy