<div dir="ltr">Ack. <div><br></div><div>nc is great for backdoors, but not exactly my first choice for production configurations.<div><br></div><div>Just export it with a specific facility.<div><br></div><div>rsyslog.conf snippet:</div><div>local5.*;<a href="http://mark.info">mark.info</a> @<a href="http://foo.bar.com">foo.bar.com</a><br></div><div><br></div><div><br></div><div>suricata.yaml snippet (note the double syslog config; necessary as eve-log to syslog doesn't do anything without "- syslog:" also configured; someday this will get fixed?) :</div><div><br></div><div><div> - syslog:</div><div> enabled: yes</div><div> # reported identity to syslog. If omitted the program name (usually</div><div> # suricata) will be used.</div><div> identity: "suricata"</div><div> facility: local5</div><div> level: Info ## possible levels: Emergency, Alert, Critical,</div><div> ## Error, Warning, Notice, Info, Debug</div><div><br></div><div> # Extensible Event Format (nicknamed EVE) event log in JSON format</div><div> - eve-log:</div><div> append: yes</div><div> enabled: yes</div><div> type: syslog #file|syslog|unix_dgram|unix_stream</div><div> #filename: eve-port0.json</div><div> # the following are valid when type: syslog above</div><div> identity: "suricata"</div><div> facility: local5</div><div> level: Info ## possible levels: Emergency, Alert, Critical,</div><div> ## Error, Warning, Notice, Info, Debug</div><div> types:</div><div> - alert:</div><div> payload: no # enable dumping payload in Base64</div><div> payload-printable: yes # enable dumping payload in printable (lossy) format</div><div> packet: no # enable dumping of packet (without stream segments)</div><div> http: no # enable dumping of http fields</div></div></div></div><div><br></div><div><br></div><div><br></div><div>Or you could just use Splunk with a Splunk Universal Forwarder and just eat the eve.json directly off the sensor ;-P</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 30, 2015 at 9:29 AM, Oliver Humpage <span dir="ltr"><<a href="mailto:oliver@watershed.co.uk" target="_blank">oliver@watershed.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
On 30 Jun 2015, at 15:05, <a href="mailto:chuckpc@yahoo.com">chuckpc@yahoo.com</a> wrote:<br>
<br>
> *.* @<a href="http://172.18.1.155:514" rel="noreferrer" target="_blank">172.18.1.155:514</a><br>
<br>
If that's sending absolutely everything that gets syslogged to the SIEM, perhaps the SIEM is getting confused?<br>
<br>
Have you tried getting rsyslog to send the suricata output to a file, and then sending individual lines over to the SIEM using nc(1)? That'd make sure it really was logging the lines you'd expect, and then you can use eg<br>
<br>
echo '<14>sourcehost LogLine' | nc -u 172.19.1.155 514<br>
<br>
to see if you can get the SIEM to accept valid lines. Also compare said lines with the output of snort and see if there's a difference.<br>
<br>
If that works, try limiting what's being sent in rsyslog. If it doesn't work, I'd suspect a config issue in the receiving host.<br>
<br>
You may have already tried all this of course. I'm afraid I use logstash (and logstash-forwarder) to centralise log collection, so my knowledge of Junipers and rsyslog is limited.<br>
<br>
Oliver.<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: 612-626-6672</div></div></div></div>
</div>