[Oisf-devel] EXTERNAL: Problem with eve logging using syslog

Duarte Silva duarte.silva at serializing.me
Wed Jul 16 15:49:31 UTC 2014 

On Wednesday 16 July 2014 15:02:20 Gofran, Paul wrote:
> Duarte,
> 
> See issue #1204, I believe it covers what you're looking for:
> https://redmine.openinfosecfoundation.org/issues/1204
> 
> -Paul

Thanks Paul, that seems to be the cause :) There is a pull request from Tom, I 
will test it out.

Cheers,
Duarte

> 
> -----Original Message-----
> From: oisf-devel-bounces at lists.openinfosecfoundation.org
> [mailto:oisf-devel-bounces at lists.openinfosecfoundation.org] On Behalf Of
> Duarte Silva Sent: Wednesday, July 16, 2014 10:53 AM
> To: oisf-devel at lists.openinfosecfoundation.org
> Subject: EXTERNAL: [Oisf-devel] Problem with eve logging using syslog
> 
> Hi guys,
> 
> I have the following Syslog configuration on my Suricata sensor (forward logs 
to a server):
> > # cat /etc/rsyslog.d/suricata.conf
> > local5.* @logserver:514
> 
> And the following Suricata Eve configuration:
> >  - eve-log:
> >      enabled: yes
> >      type: syslog #file|syslog|unix_dgram|unix_stream
> >      filename: eve.json
> >      # the following are valid when type: syslog above
> >      #identity: "suricata"
> >      facility: local5
> >      #level: Info ## possible levels: Emergency, Alert, Critical,
> >      
> >                   ## Error, Warning, Notice, Info, Debug
> 
> When an event happens, I get on the Suricata sensor /var/log/messages file 
the respective log event:
> > Jul 16 14:24:44 pidsint suricata:
> > {"timestamp":"2014-07-16T14:24:44.416708",
> > "event_type":"alert","src_ip":"client","src_port":51958,"dest_ip":"ser
> > ver",
> > "dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,
> > "signature_id":2006380,"rev":12,"signature":"ET POLICY Outgoing Basic
> > Auth Base64 HTTP Password detected unencrypted","category":"Potential
> > Corporate Privacy Violation","severity":1}}
> 
> The problem is, even though the event is written into /var/log/messages, it 
doesn't get forwarded unless I enable Suricata syslog logging. I have the 
following syslog configuration:
> >  - syslog:
> >      enabled: yes
> >      # reported identity to syslog. If ommited the program name (usually
> >      # suricata) will be used.
> >      #identity: "suricata"
> >      facility: local5
> >      #level: Info ## possible levels: Emergency, Alert, Critical,
> >      
> >                   ## Error, Warning, Notice, Info, Debug
> 
> But if I enable syslog logging, both log events get forwarded to the log 
server. In the Suricata sensor /var/log/messages file:
> > Jul 16 14:25:32 pidsint suricata[29738]:
> {"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip":"cli
> ent","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"TCP","alert
> ":
> {"action":"allowed","gid":1,"signature_id":2006380,"rev":12,"signature":"ET
> POLICY Outgoing Basic Auth Base64 HTTP Password detected
> unencrypted","category":"Potential Corporate Privacy
> Violation","severity":1}}
> > Jul 16 14:25:32 pidsint suricata[29738]: [1:2006380:12] ET POLICY
> > Outgoing
> 
> Basic Auth Base64 HTTP Password detected unencrypted [Classification:
> Potential Corporate Privacy Violation] [Priority: 1] {TCP} client:52119 ->
> server:80
> In the log server:
> > {"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip"
> > 
> > :"client","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"
> > 
> > TCP",
> > "alert":{"action":"allowed","gid":1,"signature_id":2006380,"rev":12,
> > "signature":"ET POLICY Outgoing Basic Auth Base64 HTTP Password
> > detected unencrypted","category":"Potential Corporate Privacy
> > Violation","severity":1}} [1:2006380:12] ET POLICY Outgoing Basic Auth
> > Base64 HTTP Password detected unencrypted [Classification: Potential
> > Corporate Privacy Violation] [Priority: 1] {TCP} client:52119 ->
> > server:80
> 
> This leads me to thing there is a bug that is preventing eve logging (using
> syslog) dependent upon syslog logging. Do you guys have any idea why this is
> happening?
> 
> Cheers,
> Duarte
> 
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/

More information about the Oisf-devel mailing list