pevma
commented
1 month ago Fast.log is disabled by default as it is legacy.
All Suricata alerts, protocol, filtransaction, flow and anomaly logs are enabled and available as JSON in eve.json as a default.
Hello, I recently installed SELKS 7 Docker version, but somehow i cannot generate fast.log, I am new for docker architecture, On UI, I try to update, build, push the ruleset but, it returns server 500 error. I manually copied the scirius.rules to /opt/selksd/SELKS/docker/containers-data/suricata/etc/rules/ and restart containers with "docker-compose stop" , "docker-compose down", "docker-compose up -d". Still same:( . The output of django-error logs:
2024-05-11 09:51:27,583 ERROR Internal Server Error: /rest/rules/es/health/ 2024-05-11 09:51:33,574 ERROR Internal Server Error: /rest/rules/es/health/ 2024-05-11 09:53:36,120 ERROR Internal Server Error: /suricata/update Traceback (most recent call last): File "/root/.local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 34, in inner response = get_response(request) File "/root/.local/lib/python3.9/site-packages/django/core/handlers/base.py", line 115, in _get_response response = self.process_exception_by_middleware(e, request) File "/root/.local/lib/python3.9/site-packages/django/core/handlers/base.py", line 113, in _get_response response = wrapped_callback(request, *callback_args, callback_kwargs) File "/root/.local/lib/python3.9/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view return view_func(request, *args, *kwargs) File "/opt/scirius/suricata/views.py", line 166, in update suri.generate() File "/opt/scirius/suricata/models.py", line 60, in generate with open(self.output_directory + "/" + "scirius.rules", 'w') as rfile: FileNotFoundError: [Errno 2] No such file or directory: '/opt/selksd/SELKS/docker/containers-data/suricata/etc/rules/scirius.rules' 2024-05-11 10:03:25,058 ERROR Internal Server Error: /suricata/update Traceback (most recent call last): File "/root/.local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 34, in inner response = get_response(request) File "/root/.local/lib/python3.9/site-packages/django/core/handlers/base.py", line 115, in _get_response response = self.process_exception_by_middleware(e, request) File "/root/.local/lib/python3.9/site-packages/django/core/handlers/base.py", line 113, in _get_response response = wrapped_callback(request, callback_args, callback_kwargs) File "/root/.local/lib/python3.9/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view return view_func(request, *args, **kwargs) File "/opt/scirius/suricata/views.py", line 166, in update suri.generate() File "/opt/scirius/suricata/models.py", line 60, in generate with open(self.output_directory + "/" + "scirius.rules", 'w') as rfile: FileNotFoundError: [Errno 2] No such file or directory: '/opt/selksd/SELKS/docker/containers-data/suricata/etc/rules/scirius.rules'
I cannot find which suricata.yaml is the main config. I change yaml file in this folder "/opt/selksd/SELKS/docker/containers-data/suricata/etc" for default rule path at the end of the .yaml. but it changes nothing. Output of suricata logs about rules file :
Error: reputation: opening ip rep file /etc/suricata/rules/scirius-categories.txt: No such file or directory [1 - Suricata-Main] 2024-05-11 10:13:59 Error: reputation: failed to load reputation categories file /etc/suricata/rules/scirius-categories.txt [1 - Suricata-Main] 2024-05-11 10:13:59 Warning: classification-config: could not open: "/etc/suricata/rules/classification.config": No such file or directory [1 - Suricata-Main] 2024-05-11 10:13:59 Error: classification-config: please check the "classification-file" option in your suricata.yaml file [1 - Suricata-Main] 2024-05-11 10:13:59 Warning: detect: No rule files match the pattern /etc/suricata/rules/scirius.rules [1 - Suricata-Main] 2024-05-11 10:13:59 Config: detect: No rules loaded from scirius.rules. [1 - Suricata-Main] 2024-05-11 10:13:59 Warning: detect: 1 rule files specified, but no rules were loaded! [1 - Suricata-Main] 2024-05-11 10:13:59 Warning: threshold-config: Error opening file: "/etc/suricata/rules/threshold.config": No such file or directory [1 - Suricata-Main] 2024-05-11 10:13:59 Info: detect: 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
I just want to try to operate the suricata and add rulesets with UI or not , can you advise what I am missing? Thanks for your help.