Suricata error - no logging

[im_etten]

I have a new setup and I logged on to the firewall device to check some items. I noticed that there was an error for the suricata.

SC_ERR_MISSING_CONFIG_PARM(118)
No logging compatible with dameon mode selected, suricata won't be able to log. Please update  'logging.outputs' in the YAML.

Suricata version 4.0.4 release.

Can someone let me know if this is something I need to fix and how?

[myksto]

I'm having the same error even though everything seems to be fine.
In OpNSense -> Services -> Intrusion Detection -> Administration -> Alerts I have some data, that's why I guess everything is ok.
The log file is empty (this might be strange I guess).

Everytime the firewall is rebooted I see the error posted by im_etten.

Should we edit some config file in Suricata dir o we can just ignore the message on console?

Thanks, Michele.

[dcol]

Turn on logging in IDS and it will go away. When logging is not enabled, Suricata cannot find a logging method and this produces the error. It can be ignored.

[myksto]

Thanks for reply.
Where can we turn logging on on IDS?
To tell the truth I can't find any flag to turn logging on or off.

Thanks, Michele.

[franco]

It's "Enable syslog". We've discussed enabling this by default soon as it makes no sense offer it optionally anymore.


Cheers,
Franco

[myksto]

Ok, thanks. Error messages are not there anymore. Suricata log file is populeted.
Anyway now I have thesse messages on console:

471.089924 [ 254] generic_find_num_desc     called, in tx 1024 rx 1024
471.096416 [ 262] generic_find_num_queues   called, in txq 0 rxq 0
471.102544 [ 760] generic_netmap_dtor       Restored native NA 0
471.117203 [ 254] generic_find_num_desc     called, in tx 1024 rx 1024
471.123579 [ 262] generic_find_num_queues   called, in txq 0 rxq 0
471.129740 [ 760] generic_netmap_dtor       Restored native NA 0
471.158682 [ 254] generic_find_num_desc     called, in tx 1024 rx 1024
471.187915 [ 262] generic_find_num_queues   called, in txq 0 rxq 0

And I really don't know what they stands for: any suggestion? Can I ignore them?

Thanks again, Michele.

[dcol]

What NIC adapter are you using? Looks like you have one that defaults to the software netmap.
Best to turn off IPS if you don't have a netmap compatible NIC.

[franco]

Hi Michele,

These are Netmap emulation (IPS mode) diagnostics messages and can be safely ignored.


Cheers,
Franco

[franco]

@dcol I think emulation mode is safe to run

[dcol]

Yes, emulation mode is safe. But optimal performance, however, is only obtained with netmap-enabled NIC drivers

[myksto]

@dcol
WAN NIC (the one where suricata works on) is a "Broadcom BCM5721" and OPNSense recognizes it as is BGE0.
Is that an netmap compatible NIC?
If it was not, I could swith to another NIC such as Intel Pro (Chipset 82571GB).
How can I know whether they're compatible or not?

Thanks, Michele.

[dcol]

Your Intel NIC would be netmap compatible using the em driver.
Netmap supports ixgbe, em, lem, re, igb drivers in FreeBSD

[franco]

cxgbe, ixl and vtnet seems to be supported natively nowadays also.

[myksto]

Thanks to dcol and franco.
I switched my WAN from Broadcom to Intel NIC and messages on console disappeared.
To tell the truth I don't know what "IPS emulation mode" is and why those messages appear on console but now that I know that my Intel NIC is netmap supported, I'm more happy.

Thanks a lot and cheers, Michele.

[dcol]

To put it simply, IPS emulation mode means that netmap is managed by software. It deals with how the network stack is handled. Best way to explain it without all the technical jargon.