I did have a question: When set to daily reports, I notice that the number of hits in the report does not line up with the IPFire logs. It seems to omit the occasional hit. For example, on a report from 10/31, I count 21 line items (hits) on the emailed report, but the actual logs for the same day show 25 hits. Comparing the two lists, I can see the following hits were omitted from the emailed log:
Date:
10/31 06:04:46
Name:
ET Threatview.io High Confidence Cobalt Strike C2 IP group 5
Priority:
2
Type:
Misc Attack
Date:
10/31 12:28:21
Name:
ET Threatview.io High Confidence Cobalt Strike C2 IP group 5
Priority:
2
Type:
Misc Attack
Priority:
Date:
10/31 18:00:11
Name:
ET Threatview.io High Confidence Cobalt Strike C2 IP group 5
Priority:
2
Type:
Misc Attack
Date:
10/31 19:00:30
Name:
ET Threatview.io High Confidence Cobalt Strike C2 IP group 5
Priority:
2
Type:
Misc Attack
I looked on 11/1/25 and saw a similar pattern. 43 hits in the Logs, and only 36 hits in the emailed report.
Any idea what’s going on? Is this intended?
Last question: Can you change what time the daily log delivers? Currently it is delivering at 9:00am. I would like it to deliver somewhere between 6:00am and 7:00am so I can review the logs prior to my day becoming crazy busy.
I did a quick check earlier with my phone and on my system with only emeging threats it has missed out all the entries from 00:00 to 01:00 but that is quite different to what @bloater99 found, as those missed ones were from different times of the day.
I will try and check out later some different days and see if i have the same time period missed or not.
Did those happen to be on the day of the time change? Or I suppose you don’t have to deal with time changes in your country?
I have not had time to look for patterns to see if there’s any rhyme or reason to the ones that are being omitted. But I will try to do that when things slow down a bit at work.
I checked the data for Nov 2 and there were also missed entries in the daily pdf file but this time distributed at different times throughout the day.
I checked the /var/log/messages file and found at around the times of some of the alerts that I checked the timings for the following message
suricata-reporter[2518]: Failed to process: database is locked Traceback (most recent call last): File "/usr/bin/suricata-reporter", line 335, in run self.process(event) File "/usr/bin/suricata-reporter", line 422, in process return self.process_alert(event) File "/usr/bin/suricata-reporter", line 435, in process_alert self.db.execute("INSERT INTO alerts(timestamp, event) VALUES(?, ?)", sqlite3.OperationalError: database is locked
On Nov 2nd I have that message 10 times in the log.
I did not tag a new release because I did not consider this significant enough and I only noticed this when a cleanup job was running on a larger database.
Does the number of errors match the amount of missing entries?
I got some time to check through. I had 10 of those error messages on 2nd Nov and the report had 279 entries and in the logs there were 289 entries so the same delta of 10.
So yes the number errors match the number of missing entries.
I also asked if it was possible to adjust the time the reports are sent. Is it a cronjob that can be edited?
I ask because by the time the reports arrive at 9:00am, I am knee-deep in my work. I usually come in 30-60 minutes early and it would be great if they were in my inbox at that time, when I have more free time to peruse them.
Just a little question. Is it possible to include the patch into the running 198 system by manual editing?
Thus it would be possible to do an immediate test.
The patch references a file suricata-reporter.in, my system has only suricata-reporter.
No, currently this cannot be edited and I am not sure whether it should be editable.
I randomly picked 9 am when I wrote the scripts, but in the forthcoming Core Update, this will change to 1 am, as several people have asked for the reports to be sent earlier:
1 am works better than 9am, so I’ll take it. I usually arrive to work at 6:30am and the shift starts at 7:30am, so I use that hour I arrive early for things like scanning logs. Once 7:30 hits, things get busy, so it’s harder to do this sort of thing.