Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The problem of data latency when network traffic is particularly high #513

Closed
alleniverson33 opened this issue Nov 26, 2024 · 3 comments
Closed

The problem of data latency when network traffic is particularly high #513

alleniverson33 opened this issue Nov 26, 2024 · 3 comments
Labels
performance Related to speed/performance suricata Relating to Malcolm's use of Suricata

Comments

@alleniverson33
Copy link

When the network traffic is particularly high, the Suricata alarm shows a delay of one hour in the dashboard. Is there any good solution to this?
I feel like Logstash can't forward it anymore
@alleniverson33 alleniverson33 added the enhancement New feature or request label Nov 26, 2024
@mmguero mmguero added this to Malcolm Nov 26, 2024
@mmguero
Copy link
Collaborator

mmguero commented Nov 26, 2024

I don't understand what you're saying: what do you mean the suricata alarm? Just that the data is taking an hour to show up? Or does the data have incorrect time stamps? What are your system specs? Is it with or without a network sensor? Is the other data (zeek?) showing up correctly?

I'm going to be on vacation until December 2nd, but I will follow up here when I return.

@alleniverson33
Copy link
Author

I don't understand what you're saying: what do you mean the suricata alarm? Just that the data is taking an hour to show up? Or does the data have incorrect time stamps? What are your system specs? Is it with or without a network sensor? Is the other data (zeek?) showing up correctly?

I'm going to be on vacation until December 2nd, but I will follow up here when I return.

malcolm k8s
When I attack a target, theoretically Suricata can detect the attack record and display it on the dashboard
Testing in a testing environment is normal, as long as an attack occurs, the attack record can be displayed
But in production environments, network traffic may be particularly high, and attack records may not be real-time. It may take an hour to see the logs of the attack now
I'm not sure if it's a problem with Filebeat collection or if opensearch insertion is experiencing a bottleneck

@mmguero
Copy link
Collaborator

mmguero commented Dec 2, 2024

Converting to a troubleshooting discussion, we can continue the conversation there.

@cisagov cisagov locked and limited conversation to collaborators Dec 2, 2024
@mmguero mmguero converted this issue into discussion #517 Dec 2, 2024
@github-project-automation github-project-automation bot moved this to Done in Malcolm Dec 2, 2024
@mmguero mmguero added performance Related to speed/performance suricata Relating to Malcolm's use of Suricata and removed enhancement New feature or request labels Dec 2, 2024
@mmguero mmguero moved this from Done to Invalid in Malcolm Dec 2, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
performance Related to speed/performance suricata Relating to Malcolm's use of Suricata
Projects
Malcolm
Status: Invalid
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmguero @alleniverson33