On 2020-01-18 07:08, Eric Zylstra wrote:
On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot <ajacou...@bsdfrog.org>
wrote:
On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote:
OpenBSD 6.6 Generic.MP amd64
Stable.
I installed suricata using pkg_add. Having trouble with starting it.
$ doas rcctl start suricata
…fails. No informative fail message, though.
Run rcctl in debug mode.
Notable that man rcctl(8) does not contain the word “debug”. I had to
do a web search to confirm the -d argument was what I needed to get
debug output.
Greetings,
I use Suricata from Packages for a while now. No real changes to
configs.
I don't use /etc/rc.d/suricata at all.
To START suricata in live mode -
Do this (as root):
#suricata -v -c /etc/suricata/suricata.yaml -i em0 &
(please substitute your collection I/F as needed. Mine is em0 as in the
example above)
Let that stew for a while but you can hit enter to get back to your
prompt.
To STOP suricata: pgrep suricata and kill -9 the pid returned.
If I may add:
Be sure to keep an eye on your logs as they will grow beyond bounds
(/var/logs/suricata/). I generate eve.json at about 6GB in size in about
10 days.
Regards,
Zann
