Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata seems to function but not showing blocks/alerts reliably

    IDS/IPS
    2
    5
    109
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skogs
      last edited by

      I've seen this a couple times over the years and usually resolved with a reinstall of suricata from package manager. This week it isn't working.

      So it seems to be functioning normally, but the blocks/alerts log files keep getting blanked out. Any page like the alerts or blocks that is supposed to show blocks or alerts shows nothing usually upon loading the page...then a few ... then nothing again at the next refresh.

      Anybody got ideas on what is nuking the list?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @skogs
        last edited by

        @skogs Suricata log rotation? There’s a total space setting too as I recall…

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        S 1 Reply Last reply Reply Quote 0
        • S
          skogs @SteveITS
          last edited by

          @SteveITS
          Staring at /var/log/suricata/suricata_igcxxxxx does indeed confirm the alerts.log and block.log getting nuked every 5 minutes.
          Just a little excessive and I'm not quite sure where it is coming from.

          1 Reply Last reply Reply Quote 0
          • S
            skogs
            last edited by

            There was one single fat file in there. I'm curious if it is simply triggering the combined log directory size limit. For giggles I deleted the logs manually and fired it back up. Seems to have made it beyond the 5 minute mark at least.

            I spent some quality time looking at normal log rotation stuff before posting. I didn't even think to look at the logs strictly to consider size. Oops.

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @skogs
              last edited by

              @skogs Sometimes, it takes a village. :)

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.